Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPEDIDOS-10032023-X491kkum.msi

Overview

General Information

Sample Name:rPEDIDOS-10032023-X491kkum.msi
Analysis ID:825345
MD5:09ba2f3996fe2389d374753896bd593b
SHA1:d19351ea7140e44f0db0de6a997e6f6694b5e5f9
SHA256:9de598ad601033a29a124daee8da5c18ab0a1322411207c4a3daf9f73cf6db21
Tags:msi
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries keyboard layouts
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5832 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rPEDIDOS-10032023-X491kkum.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 4532 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5048 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EC5E3FB451649D45F397BF6A1C544ED2 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • abd1 .exe (PID: 1800 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 972 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 5304 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abd1 .exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.abd1 .exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: rPEDIDOS-10032023-X491kkum.msiVirustotal: Detection: 29%Perma Link
                Source: rPEDIDOS-10032023-X491kkum.msiReversingLabs: Detection: 25%
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllReversingLabs: Detection: 35%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllJoe Sandbox ML: detected
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.603077321.000000000470A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004908000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000002.604481695.0000000004876000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.288014341.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.575974344.000000000484E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.575718963.00000000047BC000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.603077321.000000000470A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004908000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.603077321.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004890000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.280979330.000000000480F000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605831649.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.577226077.0000000004970000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.578185504.0000000004A3C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.280979330.000000000480F000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605831649.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.577226077.0000000004970000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.578185504.0000000004A3C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.603077321.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004890000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000002.604481695.0000000004876000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.288014341.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.575974344.000000000484E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.575718963.00000000047BC000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
                Source: Joe Sandbox ViewIP Address: 81.176.228.4 81.176.228.4
                Source: global trafficHTTP traffic detected: GET /pedro/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: telemarketin-ru.1gb.ruConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: abd1 .exe, 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: abd1 .exe, 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://stats.itopvpn.com/iusage.php
                Source: abd1 .exe, 0000000E.00000002.503469245.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php(Z
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php-X
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php0Z
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php2?Z
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php=Z
                Source: abd1 .exe, 0000000E.00000002.504207497.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.php?Z
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.phpCC:
                Source: abd1 .exe, 0000000D.00000002.500278437.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.503469245.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://telemarketin-ru.1gb.ru/pedro/inspecionando.phputllib.dll.DLL
                Source: abd1 .exe, abd1 .exe, 00000003.00000002.595147718.0000000000F1F000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.588489150.000000000511F000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.502129000.0000000000F3B000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000E.00000002.588364426.000000000513F000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.505849205.0000000000F2F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: abd1 .exeString found in binary or memory: http://www.indyproject.org/Original
                Source: abd1 .exe, 0000000E.00000002.504207497.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comt
                Source: unknownDNS traffic detected: queries for: telemarketin-ru.1gb.ru
                Source: global trafficHTTP traffic detected: GET /pedro/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: telemarketin-ru.1gb.ruConnection: Keep-Alive
                Source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
                Source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputData
                Source: Yara matchFile source: 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 1800, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 972, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 5304, type: MEMORYSTR

                System Summary

                barindex
                PE file has a writeable .text section
                Source: WebUI.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIB3E1.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3eaf2e.msiJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_00D51A203_2_00D51A20
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_00F225D13_2_00F225D1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: String function: 00D51818 appears 63 times
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: String function: 00D20B98 appears 33 times
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                Source: rPEDIDOS-10032023-X491kkum.msiVirustotal: Detection: 29%
                Source: rPEDIDOS-10032023-X491kkum.msiReversingLabs: Detection: 25%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rPEDIDOS-10032023-X491kkum.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC5E3FB451649D45F397BF6A1C544ED2
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC5E3FB451649D45F397BF6A1C544ED2Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIeaa1d.LOGJump to behavior
                Source: classification engineClassification label: mal76.evad.winMSI@8/27@1/2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: rPEDIDOS-10032023-X491kkum.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$3cc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$708
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$14b8
                Source: Yara matchFile source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: rPEDIDOS-10032023-X491kkum.msiStatic file information: File size 8616448 > 1048576
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.603077321.000000000470A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004908000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000002.604481695.0000000004876000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.288014341.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.575974344.000000000484E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.575718963.00000000047BC000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.603077321.000000000470A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004908000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.603077321.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004890000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.280979330.000000000480F000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605831649.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.577226077.0000000004970000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.578185504.0000000004A3C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.280979330.000000000480F000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605831649.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.577226077.0000000004970000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.578185504.0000000004A3C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.603077321.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.579814263.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.576989049.0000000004890000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000002.604481695.0000000004876000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.288014341.00000000046A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.575974344.000000000484E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.575718963.00000000047BC000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_00F2279B push eax; ret 3_2_00F227D9
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                Source: initial sampleStatic PE information: section name: .sedata entropy: 7.12307212976009
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB606.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB6D2.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB76F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB578.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB3E1.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB606.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB6D2.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB76F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB578.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB3E1.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1800 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 972 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5304 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CB5830 second address: 0000000002CB592B instructions: 0x00000000 rdtsc 0x00000002 rol ebp, 00000000h 0x00000005 jmp 00007F6A109899F6h 0x00000007 jl 00007F6A10989A46h 0x00000009 bt ebx, eax 0x0000000c mov bl, byte ptr [esp] 0x0000000f bswap edx 0x00000011 mov ax, word ptr [esp] 0x00000015 mov dl, 43h 0x00000017 mov ax, 8824h 0x0000001b clc 0x0000001c jmp 00007F6A10989B7Eh 0x00000021 jc 00007F6A10989965h 0x00000027 jnc 00007F6A1098995Fh 0x0000002d lea esp, dword ptr [esp+04h] 0x00000031 neg ebp 0x00000033 mov bh, byte ptr [esp] 0x00000036 rol al, 00000007h 0x00000039 jmp 00007F6A10989A8Bh 0x0000003b jne 00007F6A10989A4Dh 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CB7AB0 second address: 0000000002CB7AB4 instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC3D27 second address: 0000000002CC3EB2 instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007F6A109899D1h 0x00000007 pushfd 0x00000008 push dword ptr [esp+04h] 0x0000000c retn 0008h 0x0000000f lea esp, dword ptr [esp+03h] 0x00000013 jmp 00007F6A10989ABFh 0x00000018 add esi, 04h 0x0000001b mov ax, word ptr [esp] 0x0000001f setb dh 0x00000022 xchg dl, ah 0x00000024 jmp 00007F6A109899EDh 0x00000026 push edi 0x00000027 mov ah, byte ptr [esp] 0x0000002a xchg edi, eax 0x0000002c push ecx 0x0000002d jmp 00007F6A10989A36h 0x0000002f push esi 0x00000030 xchg bl, al 0x00000032 dec bh 0x00000034 jp 00007F6A10989AAEh 0x00000036 mov ecx, ebx 0x00000038 jmp 00007F6A10989A94h 0x0000003a mov ah, byte ptr [esp] 0x0000003d mov dx, 5C02h 0x00000041 xor dx, 3A64h 0x00000046 jmp 00007F6A10989D77h 0x0000004b jbe 00007F6A10989A9Bh 0x0000004d jnbe 00007F6A10989A99h 0x0000004f push esi 0x00000050 mov esi, 54CE0987h 0x00000055 xor bl, ch 0x00000057 jbe 00007F6A10989853h 0x0000005d ja 00007F6A1098984Dh 0x00000063 call 00007F6A109899B4h 0x00000068 pop edi 0x00000069 jmp 00007F6A109898FBh 0x0000006e lea edi, dword ptr [00000000h+eax*4] 0x00000075 lea eax, dword ptr [00000000h+esi*4] 0x0000007c setle al 0x0000007f inc al 0x00000081 js 00007F6A109899FEh 0x00000083 jns 00007F6A109899FCh 0x00000085 jmp 00007F6A10989B51h 0x0000008a pop edi 0x0000008b mov edx, 9C6E709Dh 0x00000090 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAFAF6 second address: 0000000002CAFCBF instructions: 0x00000000 rdtsc 0x00000002 pop dx 0x00000004 jmp 00007F6A109670E8h 0x00000006 xchg eax, edx 0x00000007 dec ax 0x00000009 jno 00007F6A10967097h 0x0000000b xchg al, ah 0x0000000d mov ax, bp 0x00000010 lea esp, dword ptr [esp+02h] 0x00000014 jmp 00007F6A109670C6h 0x00000016 add bl, 00000011h 0x00000019 mov ax, 9BD1h 0x0000001d mov eax, EC020B0Fh 0x00000022 mov al, byte ptr [esp] 0x00000025 xchg al, ah 0x00000027 jmp 00007F6A1096721Dh 0x0000002c lea edx, dword ptr [ebx-000000E2h] 0x00000032 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAFCBF second address: 0000000002CAFBA8 instructions: 0x00000000 rdtsc 0x00000002 dec bl 0x00000004 mov dl, 6Ah 0x00000006 lea edx, dword ptr [00000000h+eax*4] 0x0000000d jmp 00007F6A1098990Ch 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D008B3 second address: 0000000002D0092A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109670D0h 0x00000004 sub ebp, 02h 0x00000007 neg ah 0x00000009 jmp 00007F6A109670FEh 0x0000000b jo 00007F6A10967068h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D0092A second address: 0000000002D0094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109899E6h 0x00000004 movzx ebx, byte ptr [esi] 0x00000007 sub esp, 0Ah 0x0000000a jmp 00007F6A10989AE5h 0x0000000f jl 00007F6A109899A5h 0x00000015 xchg dword ptr [esp+01h], eax 0x00000019 pop word ptr [esp] 0x0000001d jmp 00007F6A109899F5h 0x0000001f mov dx, word ptr [esp] 0x00000023 mov dh, ah 0x00000025 sub esp, 10h 0x00000028 jmp 00007F6A109899FEh 0x0000002a lea esp, dword ptr [esp+0Fh] 0x0000002e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCF002 second address: 0000000002CCF00A instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [edi-6350673Ch] 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCF00A second address: 0000000002CCEDBB instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jns 00007F6A10989825h 0x0000000a js 00007F6A1098981Fh 0x00000010 jmp 00007F6A109899DAh 0x00000012 mov ebx, esi 0x00000014 mov edx, dword ptr [ebx] 0x00000016 mov ah, al 0x00000018 mov eax, dword ptr [esp] 0x0000001b jmp 00007F6A109899CCh 0x0000001d mov bl, byte ptr [esi+04h] 0x00000020 clc 0x00000021 jc 00007F6A10989A16h 0x00000023 mov ah, byte ptr [esp] 0x00000026 jmp 00007F6A10989A14h 0x00000028 call 00007F6A10989A6Bh 0x0000002d mov dword ptr [esp], eax 0x00000030 jmp 00007F6A10989A10h 0x00000032 sub esi, 02h 0x00000035 mov eax, 22755878h 0x0000003a mov ax, 5CECh 0x0000003e mov ah, cl 0x00000040 jmp 00007F6A10989A5Ah 0x00000042 xchg ebx, ecx 0x00000044 lea eax, dword ptr [eax+edi] 0x00000047 lea eax, dword ptr [00000000h+eax*4] 0x0000004e mov ah, byte ptr [esp] 0x00000051 jmp 00007F6A10989A0Bh 0x00000053 shl edx, cl 0x00000055 lea eax, dword ptr [00000000h+edx*4] 0x0000005c push bp 0x0000005e mov byte ptr [esp], bl 0x00000061 jmp 00007F6A10989A73h 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 xchg ebx, ecx 0x00000069 mov eax, esp 0x0000006b xchg al, ah 0x0000006d lea eax, dword ptr [ebx-000082EAh] 0x00000073 jmp 00007F6A10989A08h 0x00000075 mov dword ptr [esi+04h], edx 0x00000078 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9DA4 second address: 0000000002CC9DF6 instructions: 0x00000000 rdtsc 0x00000002 dec ebp 0x00000003 jmp 00007F6A10967033h 0x00000005 mov ax, word ptr [esp] 0x00000009 btc dx, si 0x0000000d jmp 00007F6A109670F8h 0x0000000f jnbe 00007F6A1096706Eh 0x00000011 mov ah, byte ptr [esp] 0x00000014 lea edx, dword ptr [00000000h+eax*4] 0x0000001b mov eax, dword ptr [esp] 0x0000001e add dx, 7A10h 0x00000023 not ah 0x00000025 mov edx, edi 0x00000027 jmp 00007F6A1096714Dh 0x0000002c inc dx 0x0000002e jnle 00007F6A10967098h 0x00000030 not edx 0x00000032 mov edx, dword ptr [esp] 0x00000035 jmp 00007F6A109670CCh 0x00000037 not bl 0x00000039 bt edx, eax 0x0000003c jle 00007F6A10967091h 0x0000003e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9DF6 second address: 0000000002CC9EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10989AB9h 0x00000007 setnle dl 0x0000000a setns dl 0x0000000d cmp edx, esi 0x0000000f jmp 00007F6A10989A00h 0x00000011 mov edx, dword ptr [esp] 0x00000014 neg bl 0x00000016 bswap edx 0x00000018 rcl eax, 07h 0x0000001b jmp 00007F6A10989A36h 0x0000001d jnbe 00007F6A10989A0Ah 0x0000001f mov ax, word ptr [esp] 0x00000023 shl edx, 19h 0x00000026 jmp 00007F6A10989A65h 0x00000028 mov edx, dword ptr [esp] 0x0000002b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC4149 second address: 0000000002CC41B4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A1096710Ah 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a mov bx, bp 0x0000000d jmp 00007F6A10967094h 0x0000000f lea ebx, dword ptr [esi-0000FFF0h] 0x00000015 xchg dword ptr [esp], edi 0x00000018 mov eax, 56ACE388h 0x0000001d jmp 00007F6A109670D6h 0x0000001f mov dx, bx 0x00000022 lea edi, dword ptr [edi+23h] 0x00000025 mov al, 71h 0x00000027 not ebx 0x00000029 sub esp, 18h 0x0000002c add esp, 15h 0x0000002f jmp 00007F6A1096708Ah 0x00000031 lea esp, dword ptr [esp+03h] 0x00000035 xchg dword ptr [esp], edi 0x00000038 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC41B4 second address: 0000000002CB5830 instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 mov ebx, ecx 0x00000005 mov edx, esp 0x00000007 jmp 00007F6A10989B35h 0x0000000c push dword ptr [esp] 0x0000000f retn 0004h 0x00000012 call 00007F6A10989A18h 0x00000017 pop ax 0x00000019 lea esp, dword ptr [esp+02h] 0x0000001d jmp 00007F6A10989AD4h 0x00000022 mov ebp, dword ptr [esi] 0x00000024 bswap ebx 0x00000026 neg dx 0x00000029 jnle 00007F6A10989A13h 0x0000002b shl bh, 00000000h 0x0000002e mov edx, esi 0x00000030 jmp 00007F6A10989A62h 0x00000032 add esi, 04h 0x00000035 dec bx 0x00000037 jnbe 00007F6A10989A15h 0x00000039 lea ebx, dword ptr [05B59A4Ah] 0x0000003f call 00007F6A10989A53h 0x00000044 jmp 00007F6A1097AF8Eh 0x00000049 mov ecx, ebp 0x0000004b bsr bx, dx 0x0000004f jo 00007F6A109899FFh 0x00000051 mov dx, word ptr [esp] 0x00000055 mov edx, 0D44127Fh 0x0000005a xchg ax, dx 0x0000005c jmp 00007F6A10989A40h 0x0000005e not ebx 0x00000060 push ebp 0x00000061 jmp 00007F6A10989A4Dh 0x00000063 mov edx, eax 0x00000065 neg dh 0x00000067 jc 00007F6A10989ACFh 0x0000006d jmp 00007F6A109899E0h 0x0000006f setb al 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC0342 second address: 0000000002CC0373 instructions: 0x00000000 rdtsc 0x00000002 xchg bl, dl 0x00000004 clc 0x00000005 jo 00007F6A109670C7h 0x00000007 jno 00007F6A109670C5h 0x00000009 push ebp 0x0000000a jmp 00007F6A109670B6h 0x0000000c lea ebp, dword ptr [ebx+000000F6h] 0x00000012 lea ecx, dword ptr [edx-6BD77D8Ah] 0x00000018 mov ebx, edi 0x0000001a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9D23 second address: 0000000002CC9DF6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A109899DFh 0x00000007 mov dl, CCh 0x00000009 mov eax, dword ptr [esp] 0x0000000c mov eax, dword ptr [esp] 0x0000000f lea edx, dword ptr [esp+ebp] 0x00000012 jmp 00007F6A10989A0Fh 0x00000014 xchg dword ptr [esp], ebp 0x00000017 sub esp, 0Eh 0x0000001a stc 0x0000001b call 00007F6A10989A62h 0x00000020 lea eax, dword ptr [esp+eax] 0x00000023 push dword ptr [esp+11h] 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007F6A10989A0Fh 0x0000002d lea ebp, dword ptr [ebp+7Ch] 0x00000030 push sp 0x00000032 rcl eax, cl 0x00000034 mov dh, byte ptr [esp] 0x00000037 xchg dh, dl 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F6A10989A43h 0x0000003f xchg dword ptr [esp+14h], ebp 0x00000043 mov dl, byte ptr [esp] 0x00000046 xchg dh, dl 0x00000048 mov ah, 8Dh 0x0000004a push dword ptr [esp+14h] 0x0000004e retn 0018h 0x00000051 dec ebp 0x00000052 jmp 00007F6A109899B3h 0x00000054 mov ax, word ptr [esp] 0x00000058 btc dx, si 0x0000005c jmp 00007F6A10989A78h 0x0000005e jnbe 00007F6A109899EEh 0x00000060 mov ah, byte ptr [esp] 0x00000063 lea edx, dword ptr [00000000h+eax*4] 0x0000006a mov eax, dword ptr [esp] 0x0000006d add dx, 7A10h 0x00000072 not ah 0x00000074 mov edx, edi 0x00000076 jmp 00007F6A10989ACDh 0x0000007b inc dx 0x0000007d jnle 00007F6A10989A18h 0x0000007f not edx 0x00000081 mov edx, dword ptr [esp] 0x00000084 jmp 00007F6A10989A4Ch 0x00000086 not bl 0x00000088 bt edx, eax 0x0000008b jle 00007F6A10989A11h 0x0000008d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9027 second address: 0000000002CC9124 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+esi*4] 0x00000009 xchg dword ptr [esp+18h], ecx 0x0000000d xchg dh, ah 0x0000000f dec ah 0x00000011 call 00007F6A10967083h 0x00000016 lea esp, dword ptr [esp+02h] 0x0000001a jmp 00007F6A109670F4h 0x0000001c lea esp, dword ptr [esp+02h] 0x00000020 push dword ptr [esp+18h] 0x00000024 retn 001Ch 0x00000027 mov ebx, dword ptr [ebp+00h] 0x0000002a bt dx, sp 0x0000002e jnc 00007F6A10967104h 0x00000030 jc 00007F6A1096712Eh 0x00000032 and edx, FD9B4CC2h 0x00000038 bsr ax, si 0x0000003c lea eax, dword ptr [edx+ebp] 0x0000003f jmp 00007F6A109670C4h 0x00000041 mov dl, byte ptr [ebp+04h] 0x00000044 lea eax, dword ptr [00000000h+eax*4] 0x0000004b mov eax, esi 0x0000004d sub ebp, 02h 0x00000050 jmp 00007F6A1096722Eh 0x00000055 shr eax, cl 0x00000057 jc 00007F6A10967032h 0x00000059 bt ax, si 0x0000005d ror ah, cl 0x0000005f and ax, ax 0x00000062 jmp 00007F6A10966F7Fh 0x00000067 xchg edx, ecx 0x00000069 not ax 0x0000006c jmp 00007F6A1096707Eh 0x0000006e shl ebx, cl 0x00000070 not eax 0x00000072 mov al, byte ptr [esp] 0x00000075 mov ax, word ptr [esp] 0x00000079 xchg edx, ecx 0x0000007b jmp 00007F6A109670B6h 0x0000007d mov ax, 3D73h 0x00000081 jmp 00007F6A10967120h 0x00000083 mov dword ptr [ebp+04h], ebx 0x00000086 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9124 second address: 0000000002CAF028 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ecx+ecx] 0x00000005 xchg dl, ah 0x00000007 setbe al 0x0000000a jmp 00007F6A109899E6h 0x0000000c pushfd 0x0000000d pop dword ptr [ebp+00h] 0x00000010 lea eax, dword ptr [00000000h+eax*4] 0x00000017 mov ebx, dword ptr [esp] 0x0000001a jmp 00007F6A10989A0Ch 0x0000001c lea ebx, dword ptr [ecx+000000BAh] 0x00000022 mov dx, word ptr [esp] 0x00000026 jmp 00007F6A10989A62h 0x00000028 mov dx, di 0x0000002b mov bl, CCh 0x0000002d sub esp, 13h 0x00000030 jnc 00007F6A10989A12h 0x00000032 jmp 00007F6A10989A82h 0x00000034 push word ptr [esp+0Dh] 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea edx, dword ptr [edi+50h] 0x00000040 lea ebx, dword ptr [edi+17h] 0x00000043 push ax 0x00000045 mov ebx, eax 0x00000047 jmp 00007F6A10989A8Dh 0x00000049 mov ax, 1BE3h 0x0000004d lea esp, dword ptr [esp+02h] 0x00000051 cmp ebp, edx 0x00000053 ja 00007F6A1096FB22h 0x00000059 jmp 00007F6A109897BAh 0x0000005e movzx ebx, byte ptr [esi] 0x00000061 adc dx, di 0x00000064 jne 00007F6A10989A0Eh 0x00000066 call 00007F6A10989B59h 0x0000006b pop edx 0x0000006c mov dx, word ptr [esp] 0x00000070 jmp 00007F6A10989907h 0x00000075 mov eax, dword ptr [esp] 0x00000078 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCAFBB second address: 0000000002CAF028 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-00001F34h] 0x00000008 push ebp 0x00000009 jmp 00007F6A1096702Fh 0x0000000e mov byte ptr [esp+02h], dh 0x00000012 setl ah 0x00000015 pushfd 0x00000016 xchg dword ptr [esp+08h], ebx 0x0000001a xchg al, bh 0x0000001c pushad 0x0000001d jmp 00007F6A10966FF8h 0x00000022 mov dh, bl 0x00000024 mov bl, byte ptr [esp] 0x00000027 push dword ptr [esp+28h] 0x0000002b retn 002Ch 0x0000002e dec dh 0x00000030 ja 00007F6A10967401h 0x00000036 btr dx, si 0x0000003a call 00007F6A10966DC5h 0x0000003f pushfd 0x00000040 lea edx, dword ptr [edi+50h] 0x00000043 lea ebx, dword ptr [ebp-00002F6Bh] 0x00000049 mov al, cl 0x0000004b jmp 00007F6A10967072h 0x0000004d mov ah, byte ptr [esp] 0x00000050 push sp 0x00000052 lea esp, dword ptr [esp+02h] 0x00000056 cmp ebp, edx 0x00000058 jnp 00007F6A1096708Eh 0x0000005a jmp 00007F6A109670DEh 0x0000005c not al 0x0000005e bswap ebx 0x00000060 ja 00007F6A1094D65Eh 0x00000066 jmp 00007F6A10966E3Ah 0x0000006b movzx ebx, byte ptr [esi] 0x0000006e adc dx, di 0x00000071 jne 00007F6A1096708Eh 0x00000073 call 00007F6A109671D9h 0x00000078 pop edx 0x00000079 mov dx, word ptr [esp] 0x0000007d jmp 00007F6A10966F87h 0x00000082 mov eax, dword ptr [esp] 0x00000085 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCD172 second address: 0000000002CCD230 instructions: 0x00000000 rdtsc 0x00000002 xchg bx, dx 0x00000005 pushad 0x00000006 push dword ptr [esp+0Dh] 0x0000000a jmp 00007F6A10989ACAh 0x0000000f jo 00007F6A10989A46h 0x00000011 mov ebx, dword ptr [ebp+00h] 0x00000014 pushfd 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D008E0 second address: 0000000002D0094B instructions: 0x00000000 rdtsc 0x00000002 movzx ebx, byte ptr [esi] 0x00000005 sub esp, 0Ah 0x00000008 jmp 00007F6A10967165h 0x0000000d jl 00007F6A10967025h 0x00000013 xchg dword ptr [esp+01h], eax 0x00000017 pop word ptr [esp] 0x0000001b jmp 00007F6A10967075h 0x0000001d mov dx, word ptr [esp] 0x00000021 mov dh, ah 0x00000023 sub esp, 10h 0x00000026 jmp 00007F6A1096707Eh 0x00000028 lea esp, dword ptr [esp+0Fh] 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCA8D4 second address: 0000000002CCAA68 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 3A160AC8h 0x00000007 jmp 00007F6A1098AF0Ah 0x0000000c shl ah, 00000005h 0x0000000f je 00007F6A10988839h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c jmp 00007F6A10988833h 0x00000021 mov ebx, dword ptr [esi] 0x00000024 jmp 00007F6A1098991Bh 0x00000029 mov ax, D482h 0x0000002d mov dx, word ptr [esp] 0x00000031 lea edx, dword ptr [esp-00005E22h] 0x00000038 sub esi, 04h 0x0000003b rcl dx, 1 0x0000003e jmp 00007F6A1098998Ch 0x00000043 jne 00007F6A10989A63h 0x00000045 mov edx, 302DC918h 0x0000004a neg ah 0x0000004c btr eax, esi 0x0000004f mov edx, esi 0x00000051 mov dword ptr [edx], ebx 0x00000053 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CB0A9F second address: 0000000002CB0AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109672A1h 0x00000007 lea esp, dword ptr [esp+01h] 0x0000000b push dword ptr [esp+20h] 0x0000000f retn 0024h 0x00000012 inc eax 0x00000013 xor dx, 4A5Ch 0x00000018 pop dx 0x0000001a jmp 00007F6A109671A4h 0x0000001f lea esp, dword ptr [esp+02h] 0x00000023 rol bl, 00000000h 0x00000026 xchg dl, al 0x00000028 lea edx, dword ptr [00000000h+eax*4] 0x0000002f not ah 0x00000031 jmp 00007F6A10967073h 0x00000033 btc edx, edx 0x00000036 jbe 00007F6A10967097h 0x00000038 xchg dl, al 0x0000003a jmp 00007F6A109670D1h 0x0000003c dec bl 0x0000003e xchg ax, dx 0x00000040 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC9DB0 second address: 0000000002CC9DF6 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [esp] 0x00000005 push dword ptr [esp+1Ch] 0x00000009 retn 0020h 0x0000000c mov edx, edi 0x0000000e jmp 00007F6A10989ACDh 0x00000013 inc dx 0x00000015 jnle 00007F6A10989A18h 0x00000017 not edx 0x00000019 mov edx, dword ptr [esp] 0x0000001c jmp 00007F6A10989A4Ch 0x0000001e not bl 0x00000020 bt edx, eax 0x00000023 jle 00007F6A10989A11h 0x00000025 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D19BC1 second address: 0000000002D19B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10967061h 0x00000004 mov dword ptr [ebp+00h], ebx 0x00000007 jmp 00007F6A10967095h 0x00000009 bswap edx 0x0000000b mov bx, bp 0x0000000e mov bx, word ptr [esp] 0x00000012 call 00007F6A109670DAh 0x00000017 lea edx, dword ptr [esp+edx] 0x0000001a mov bx, si 0x0000001d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAECF2 second address: 0000000002CAED3A instructions: 0x00000000 rdtsc 0x00000002 setnp bh 0x00000005 btc dx, bx 0x00000009 jmp 00007F6A10989A61h 0x0000000b lea ecx, dword ptr [ecx-00000087h] 0x00000011 mov edx, A9B55FE2h 0x00000016 mov ax, si 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAED3A second address: 0000000002CAED16 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ecx 0x00000005 xchg eax, edx 0x00000006 jmp 00007F6A10967086h 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAED16 second address: 0000000002CAEE1E instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 push dword ptr [esp] 0x00000006 retn 0004h 0x00000009 mov bh, byte ptr [esp] 0x0000000c shr ah, 00000006h 0x0000000f jl 00007F6A10989B89h 0x00000015 cpuid 0x00000017 mov ecx, esi 0x00000019 mov edx, AAC6D270h 0x0000001e xchg eax, ebx 0x0000001f lea eax, dword ptr [ebp+000000F7h] 0x00000025 jmp 00007F6A109899EFh 0x00000027 shr bx, 000Bh 0x0000002b jnp 00007F6A10989A16h 0x0000002d lea eax, dword ptr [00000000h+edx*4] 0x00000034 btc dx, sp 0x00000038 jmp 00007F6A10989BC9h 0x0000003d xchg dh, bh 0x0000003f mov bx, si 0x00000042 mov bx, EE0Ch 0x00000046 jmp 00007F6A1098989Dh 0x0000004b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CB5767 second address: 0000000002CB5830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6A109670DCh 0x00000005 pushfd 0x00000006 mov ecx, ebp 0x00000008 bsr bx, dx 0x0000000c jo 00007F6A1096707Fh 0x0000000e mov dx, word ptr [esp] 0x00000012 mov edx, 0D44127Fh 0x00000017 xchg ax, dx 0x00000019 jmp 00007F6A109670C0h 0x0000001b not ebx 0x0000001d push ebp 0x0000001e jmp 00007F6A109670CDh 0x00000020 mov edx, eax 0x00000022 neg dh 0x00000024 jc 00007F6A1096714Fh 0x0000002a jmp 00007F6A10967060h 0x0000002c setb al 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAEC77 second address: 0000000002CAECF2 instructions: 0x00000000 rdtsc 0x00000002 setns dh 0x00000005 jmp 00007F6A10989A02h 0x00000007 cpuid 0x00000009 bsf di, bx 0x0000000d xchg ch, dh 0x0000000f push dword ptr [esp] 0x00000012 retn 0004h 0x00000015 mov esi, dword ptr [esp+2Ch] 0x00000019 clc 0x0000001a jmp 00007F6A10989A71h 0x0000001c jp 00007F6A10989A46h 0x0000001e mov eax, dword ptr [esp] 0x00000021 bswap eax 0x00000023 jmp 00007F6A1098A0F0h 0x00000028 lea ebp, dword ptr [esp] 0x0000002b bsf cx, sp 0x0000002f jg 00007F6A1098936Eh 0x00000035 lea edi, dword ptr [ebp-21h] 0x00000038 call 00007F6A10989DA8h 0x0000003d inc cx 0x0000003f jmp 00007F6A10989727h 0x00000044 jc 00007F6A10989A67h 0x00000046 jnc 00007F6A10989A65h 0x00000048 sub esp, 000000BCh 0x0000004e mov edi, esp 0x00000050 xchg eax, edx 0x00000051 call 00007F6A10989998h 0x00000056 xchg dl, bl 0x00000058 lea ecx, dword ptr [00000000h+ebx*4] 0x0000005f mov ch, byte ptr [esp] 0x00000062 xchg bl, bh 0x00000064 jmp 00007F6A10989A4Eh 0x00000066 xchg dword ptr [esp], ecx 0x00000069 lea ebx, dword ptr [ebp+00004234h] 0x0000006f mov ax, bx 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CAED5F second address: 0000000002CAEE1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A1096712Ah 0x00000004 mov bh, A0h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov dl, 73h 0x0000000b clc 0x0000000c mov ah, 62h 0x0000000e pushfd 0x0000000f jmp 00007F6A10967063h 0x00000011 mov dx, 6B77h 0x00000015 lea ecx, dword ptr [ecx+000000BDh] 0x0000001b rcl bl, cl 0x0000001d mov dh, byte ptr [esp] 0x00000020 sete bh 0x00000023 neg edx 0x00000025 jmp 00007F6A10967086h 0x00000027 xchg dword ptr [esp+04h], ecx 0x0000002b mov dx, word ptr [esp] 0x0000002f sub esp, 0Ah 0x00000032 jmp 00007F6A109670D1h 0x00000034 lea edx, dword ptr [esp+00003586h] 0x0000003b call 00007F6A109670BFh 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 push dword ptr [esp+10h] 0x00000048 retn 0014h 0x0000004b mov ecx, esi 0x0000004d mov edx, AAC6D270h 0x00000052 xchg eax, ebx 0x00000053 lea eax, dword ptr [ebp+000000F7h] 0x00000059 jmp 00007F6A1096706Fh 0x0000005b shr bx, 000Bh 0x0000005f jnp 00007F6A10967096h 0x00000061 lea eax, dword ptr [00000000h+edx*4] 0x00000068 btc dx, sp 0x0000006c jmp 00007F6A10967249h 0x00000071 xchg dh, bh 0x00000073 mov bx, si 0x00000076 mov bx, EE0Ch 0x0000007a jmp 00007F6A10966F1Dh 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D00D07 second address: 0000000002D00D09 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD89DA second address: 0000000002CD8A0D instructions: 0x00000000 rdtsc 0x00000002 mov al, 1Bh 0x00000004 jmp 00007F6A109670D3h 0x00000006 mov eax, esi 0x00000008 mov word ptr [eax], bx 0x0000000b mov edx, 5B70B88Ch 0x00000010 mov dl, cl 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D7BD16 second address: 0000000002D7BCB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109899C9h 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DAA66D second address: 0000000002DAA677 instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 not eax 0x00000006 push edi 0x00000007 setbe al 0x0000000a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DAA677 second address: 0000000002DAA657 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10989A0Eh 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DAA657 second address: 0000000002DAA6DE instructions: 0x00000000 rdtsc 0x00000002 mov ax, CDD0h 0x00000006 bswap eax 0x00000008 mov ax, cx 0x0000000b mov edi, eax 0x0000000d xchg eax, edx 0x0000000e jmp 00007F6A1096711Eh 0x00000010 pop edi 0x00000011 bswap eax 0x00000013 mov eax, dword ptr [esp] 0x00000016 setp dl 0x00000019 mov edx, edi 0x0000001b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD5830 second address: 0000000002CD592B instructions: 0x00000000 rdtsc 0x00000002 rol ebp, 00000000h 0x00000005 jmp 00007F6A109899F6h 0x00000007 jl 00007F6A10989A46h 0x00000009 bt ebx, eax 0x0000000c mov bl, byte ptr [esp] 0x0000000f bswap edx 0x00000011 mov ax, word ptr [esp] 0x00000015 mov dl, 43h 0x00000017 mov ax, 8824h 0x0000001b clc 0x0000001c jmp 00007F6A10989B7Eh 0x00000021 jc 00007F6A10989965h 0x00000027 jnc 00007F6A1098995Fh 0x0000002d lea esp, dword ptr [esp+04h] 0x00000031 neg ebp 0x00000033 mov bh, byte ptr [esp] 0x00000036 rol al, 00000007h 0x00000039 jmp 00007F6A10989A8Bh 0x0000003b jne 00007F6A10989A4Dh 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD7AB0 second address: 0000000002CD7AB4 instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE3D27 second address: 0000000002CE3EB2 instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007F6A109899D1h 0x00000007 pushfd 0x00000008 push dword ptr [esp+04h] 0x0000000c retn 0008h 0x0000000f lea esp, dword ptr [esp+03h] 0x00000013 jmp 00007F6A10989ABFh 0x00000018 add esi, 04h 0x0000001b mov ax, word ptr [esp] 0x0000001f setb dh 0x00000022 xchg dl, ah 0x00000024 jmp 00007F6A109899EDh 0x00000026 push edi 0x00000027 mov ah, byte ptr [esp] 0x0000002a xchg edi, eax 0x0000002c push ecx 0x0000002d jmp 00007F6A10989A36h 0x0000002f push esi 0x00000030 xchg bl, al 0x00000032 dec bh 0x00000034 jp 00007F6A10989AAEh 0x00000036 mov ecx, ebx 0x00000038 jmp 00007F6A10989A94h 0x0000003a mov ah, byte ptr [esp] 0x0000003d mov dx, 5C02h 0x00000041 xor dx, 3A64h 0x00000046 jmp 00007F6A10989D77h 0x0000004b jbe 00007F6A10989A9Bh 0x0000004d jnbe 00007F6A10989A99h 0x0000004f push esi 0x00000050 mov esi, 54CE0987h 0x00000055 xor bl, ch 0x00000057 jbe 00007F6A10989853h 0x0000005d ja 00007F6A1098984Dh 0x00000063 call 00007F6A109899B4h 0x00000068 pop edi 0x00000069 jmp 00007F6A109898FBh 0x0000006e lea edi, dword ptr [00000000h+eax*4] 0x00000075 lea eax, dword ptr [00000000h+esi*4] 0x0000007c setle al 0x0000007f inc al 0x00000081 js 00007F6A109899FEh 0x00000083 jns 00007F6A109899FCh 0x00000085 jmp 00007F6A10989B51h 0x0000008a pop edi 0x0000008b mov edx, 9C6E709Dh 0x00000090 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCFAF6 second address: 0000000002CCFCBF instructions: 0x00000000 rdtsc 0x00000002 pop dx 0x00000004 jmp 00007F6A109670E8h 0x00000006 xchg eax, edx 0x00000007 dec ax 0x00000009 jno 00007F6A10967097h 0x0000000b xchg al, ah 0x0000000d mov ax, bp 0x00000010 lea esp, dword ptr [esp+02h] 0x00000014 jmp 00007F6A109670C6h 0x00000016 add bl, 00000011h 0x00000019 mov ax, 9BD1h 0x0000001d mov eax, EC020B0Fh 0x00000022 mov al, byte ptr [esp] 0x00000025 xchg al, ah 0x00000027 jmp 00007F6A1096721Dh 0x0000002c lea edx, dword ptr [ebx-000000E2h] 0x00000032 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCFCBF second address: 0000000002CCFBA8 instructions: 0x00000000 rdtsc 0x00000002 dec bl 0x00000004 mov dl, 6Ah 0x00000006 lea edx, dword ptr [00000000h+eax*4] 0x0000000d jmp 00007F6A1098990Ch 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D208B3 second address: 0000000002D2092A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109670D0h 0x00000004 sub ebp, 02h 0x00000007 neg ah 0x00000009 jmp 00007F6A109670FEh 0x0000000b jo 00007F6A10967068h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D2092A second address: 0000000002D2094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109899E6h 0x00000004 movzx ebx, byte ptr [esi] 0x00000007 sub esp, 0Ah 0x0000000a jmp 00007F6A10989AE5h 0x0000000f jl 00007F6A109899A5h 0x00000015 xchg dword ptr [esp+01h], eax 0x00000019 pop word ptr [esp] 0x0000001d jmp 00007F6A109899F5h 0x0000001f mov dx, word ptr [esp] 0x00000023 mov dh, ah 0x00000025 sub esp, 10h 0x00000028 jmp 00007F6A109899FEh 0x0000002a lea esp, dword ptr [esp+0Fh] 0x0000002e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CEF002 second address: 0000000002CEF00A instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [edi-6350673Ch] 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CEF00A second address: 0000000002CEEDBB instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jns 00007F6A10989825h 0x0000000a jmp 00007F6A109899DAh 0x0000000c mov ebx, esi 0x0000000e mov edx, dword ptr [ebx] 0x00000010 mov ah, al 0x00000012 mov eax, dword ptr [esp] 0x00000015 jmp 00007F6A109899CCh 0x00000017 mov bl, byte ptr [esi+04h] 0x0000001a clc 0x0000001b jc 00007F6A10989A16h 0x0000001d mov ah, byte ptr [esp] 0x00000020 jmp 00007F6A10989A14h 0x00000022 call 00007F6A10989A6Bh 0x00000027 mov dword ptr [esp], eax 0x0000002a jmp 00007F6A10989A10h 0x0000002c sub esi, 02h 0x0000002f mov eax, 22755878h 0x00000034 mov ax, 5CECh 0x00000038 mov ah, cl 0x0000003a jmp 00007F6A10989A5Ah 0x0000003c xchg ebx, ecx 0x0000003e lea eax, dword ptr [eax+edi] 0x00000041 lea eax, dword ptr [00000000h+eax*4] 0x00000048 mov ah, byte ptr [esp] 0x0000004b jmp 00007F6A10989A0Bh 0x0000004d shl edx, cl 0x0000004f lea eax, dword ptr [00000000h+edx*4] 0x00000056 push bp 0x00000058 mov byte ptr [esp], bl 0x0000005b jmp 00007F6A10989A73h 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 xchg ebx, ecx 0x00000063 mov eax, esp 0x00000065 xchg al, ah 0x00000067 lea eax, dword ptr [ebx-000082EAh] 0x0000006d jmp 00007F6A10989A08h 0x0000006f mov dword ptr [esi+04h], edx 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9DA4 second address: 0000000002CE9DF6 instructions: 0x00000000 rdtsc 0x00000002 dec ebp 0x00000003 jmp 00007F6A10967033h 0x00000005 mov ax, word ptr [esp] 0x00000009 btc dx, si 0x0000000d jmp 00007F6A109670F8h 0x0000000f jnbe 00007F6A1096706Eh 0x00000011 mov ah, byte ptr [esp] 0x00000014 lea edx, dword ptr [00000000h+eax*4] 0x0000001b mov eax, dword ptr [esp] 0x0000001e add dx, 7A10h 0x00000023 not ah 0x00000025 mov edx, edi 0x00000027 jmp 00007F6A1096714Dh 0x0000002c inc dx 0x0000002e jnle 00007F6A10967098h 0x00000030 not edx 0x00000032 mov edx, dword ptr [esp] 0x00000035 jmp 00007F6A109670CCh 0x00000037 not bl 0x00000039 bt edx, eax 0x0000003c jle 00007F6A10967091h 0x0000003e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9DF6 second address: 0000000002CE9EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10989AB9h 0x00000007 setnle dl 0x0000000a setns dl 0x0000000d cmp edx, esi 0x0000000f jmp 00007F6A10989A00h 0x00000011 mov edx, dword ptr [esp] 0x00000014 neg bl 0x00000016 bswap edx 0x00000018 rcl eax, 07h 0x0000001b jmp 00007F6A10989A36h 0x0000001d jnbe 00007F6A10989A0Ah 0x0000001f mov ax, word ptr [esp] 0x00000023 shl edx, 19h 0x00000026 jmp 00007F6A10989A65h 0x00000028 mov edx, dword ptr [esp] 0x0000002b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE4149 second address: 0000000002CE41B4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A1096710Ah 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a mov bx, bp 0x0000000d jmp 00007F6A10967094h 0x0000000f lea ebx, dword ptr [esi-0000FFF0h] 0x00000015 xchg dword ptr [esp], edi 0x00000018 mov eax, 56ACE388h 0x0000001d jmp 00007F6A109670D6h 0x0000001f mov dx, bx 0x00000022 lea edi, dword ptr [edi+23h] 0x00000025 mov al, 71h 0x00000027 not ebx 0x00000029 sub esp, 18h 0x0000002c add esp, 15h 0x0000002f jmp 00007F6A1096708Ah 0x00000031 lea esp, dword ptr [esp+03h] 0x00000035 xchg dword ptr [esp], edi 0x00000038 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE41B4 second address: 0000000002CD5830 instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 mov ebx, ecx 0x00000005 mov edx, esp 0x00000007 jmp 00007F6A10989B35h 0x0000000c push dword ptr [esp] 0x0000000f retn 0004h 0x00000012 call 00007F6A10989A18h 0x00000017 pop ax 0x00000019 lea esp, dword ptr [esp+02h] 0x0000001d jmp 00007F6A10989AD4h 0x00000022 mov ebp, dword ptr [esi] 0x00000024 bswap ebx 0x00000026 neg dx 0x00000029 jnle 00007F6A10989A13h 0x0000002b shl bh, 00000000h 0x0000002e mov edx, esi 0x00000030 jmp 00007F6A10989A62h 0x00000032 add esi, 04h 0x00000035 dec bx 0x00000037 jnbe 00007F6A10989A15h 0x00000039 lea ebx, dword ptr [05B59A4Ah] 0x0000003f call 00007F6A10989A53h 0x00000044 jmp 00007F6A1097AF8Eh 0x00000049 mov ecx, ebp 0x0000004b bsr bx, dx 0x0000004f jo 00007F6A109899FFh 0x00000051 mov dx, word ptr [esp] 0x00000055 mov edx, 0D44127Fh 0x0000005a xchg ax, dx 0x0000005c jmp 00007F6A10989A40h 0x0000005e not ebx 0x00000060 push ebp 0x00000061 jmp 00007F6A10989A4Dh 0x00000063 mov edx, eax 0x00000065 neg dh 0x00000067 jc 00007F6A10989ACFh 0x0000006d jmp 00007F6A109899E0h 0x0000006f setb al 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE0342 second address: 0000000002CE0373 instructions: 0x00000000 rdtsc 0x00000002 xchg bl, dl 0x00000004 clc 0x00000005 jo 00007F6A109670C7h 0x00000007 jno 00007F6A109670C5h 0x00000009 push ebp 0x0000000a jmp 00007F6A109670B6h 0x0000000c lea ebp, dword ptr [ebx+000000F6h] 0x00000012 lea ecx, dword ptr [edx-6BD77D8Ah] 0x00000018 mov ebx, edi 0x0000001a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9D23 second address: 0000000002CE9DF6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A109899DFh 0x00000007 mov dl, CCh 0x00000009 mov eax, dword ptr [esp] 0x0000000c mov eax, dword ptr [esp] 0x0000000f lea edx, dword ptr [esp+ebp] 0x00000012 jmp 00007F6A10989A0Fh 0x00000014 xchg dword ptr [esp], ebp 0x00000017 sub esp, 0Eh 0x0000001a stc 0x0000001b call 00007F6A10989A62h 0x00000020 lea eax, dword ptr [esp+eax] 0x00000023 push dword ptr [esp+11h] 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007F6A10989A0Fh 0x0000002d lea ebp, dword ptr [ebp+7Ch] 0x00000030 push sp 0x00000032 rcl eax, cl 0x00000034 mov dh, byte ptr [esp] 0x00000037 xchg dh, dl 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F6A10989A43h 0x0000003f xchg dword ptr [esp+14h], ebp 0x00000043 mov dl, byte ptr [esp] 0x00000046 xchg dh, dl 0x00000048 mov ah, 8Dh 0x0000004a push dword ptr [esp+14h] 0x0000004e retn 0018h 0x00000051 dec ebp 0x00000052 jmp 00007F6A109899B3h 0x00000054 mov ax, word ptr [esp] 0x00000058 btc dx, si 0x0000005c jmp 00007F6A10989A78h 0x0000005e jnbe 00007F6A109899EEh 0x00000060 mov ah, byte ptr [esp] 0x00000063 lea edx, dword ptr [00000000h+eax*4] 0x0000006a mov eax, dword ptr [esp] 0x0000006d add dx, 7A10h 0x00000072 not ah 0x00000074 mov edx, edi 0x00000076 jmp 00007F6A10989ACDh 0x0000007b inc dx 0x0000007d jnle 00007F6A10989A18h 0x0000007f not edx 0x00000081 mov edx, dword ptr [esp] 0x00000084 jmp 00007F6A10989A4Ch 0x00000086 not bl 0x00000088 bt edx, eax 0x0000008b jle 00007F6A10989A11h 0x0000008d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9027 second address: 0000000002CE9124 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+esi*4] 0x00000009 xchg dword ptr [esp+18h], ecx 0x0000000d xchg dh, ah 0x0000000f dec ah 0x00000011 call 00007F6A10967083h 0x00000016 lea esp, dword ptr [esp+02h] 0x0000001a jmp 00007F6A109670F4h 0x0000001c lea esp, dword ptr [esp+02h] 0x00000020 push dword ptr [esp+18h] 0x00000024 retn 001Ch 0x00000027 mov ebx, dword ptr [ebp+00h] 0x0000002a bt dx, sp 0x0000002e jnc 00007F6A10967104h 0x00000030 jc 00007F6A1096712Eh 0x00000032 and edx, FD9B4CC2h 0x00000038 bsr ax, si 0x0000003c lea eax, dword ptr [edx+ebp] 0x0000003f jmp 00007F6A109670C4h 0x00000041 mov dl, byte ptr [ebp+04h] 0x00000044 lea eax, dword ptr [00000000h+eax*4] 0x0000004b mov eax, esi 0x0000004d sub ebp, 02h 0x00000050 jmp 00007F6A1096722Eh 0x00000055 shr eax, cl 0x00000057 jc 00007F6A10967032h 0x00000059 bt ax, si 0x0000005d ror ah, cl 0x0000005f and ax, ax 0x00000062 jmp 00007F6A10966F7Fh 0x00000067 xchg edx, ecx 0x00000069 not ax 0x0000006c jmp 00007F6A1096707Eh 0x0000006e shl ebx, cl 0x00000070 not eax 0x00000072 mov al, byte ptr [esp] 0x00000075 mov ax, word ptr [esp] 0x00000079 xchg edx, ecx 0x0000007b jmp 00007F6A109670B6h 0x0000007d mov ax, 3D73h 0x00000081 jmp 00007F6A10967120h 0x00000083 mov dword ptr [ebp+04h], ebx 0x00000086 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9124 second address: 0000000002CCF028 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ecx+ecx] 0x00000005 xchg dl, ah 0x00000007 setbe al 0x0000000a jmp 00007F6A109899E6h 0x0000000c pushfd 0x0000000d pop dword ptr [ebp+00h] 0x00000010 lea eax, dword ptr [00000000h+eax*4] 0x00000017 mov ebx, dword ptr [esp] 0x0000001a jmp 00007F6A10989A0Ch 0x0000001c lea ebx, dword ptr [ecx+000000BAh] 0x00000022 mov dx, word ptr [esp] 0x00000026 jmp 00007F6A10989A62h 0x00000028 mov dx, di 0x0000002b mov bl, CCh 0x0000002d sub esp, 13h 0x00000030 jnc 00007F6A10989A12h 0x00000032 jmp 00007F6A10989A82h 0x00000034 push word ptr [esp+0Dh] 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea edx, dword ptr [edi+50h] 0x00000040 lea ebx, dword ptr [edi+17h] 0x00000043 push ax 0x00000045 mov ebx, eax 0x00000047 jmp 00007F6A10989A8Dh 0x00000049 mov ax, 1BE3h 0x0000004d lea esp, dword ptr [esp+02h] 0x00000051 cmp ebp, edx 0x00000053 ja 00007F6A1096FB22h 0x00000059 jmp 00007F6A109897BAh 0x0000005e movzx ebx, byte ptr [esi] 0x00000061 adc dx, di 0x00000064 jne 00007F6A10989A0Eh 0x00000066 call 00007F6A10989B59h 0x0000006b pop edx 0x0000006c mov dx, word ptr [esp] 0x00000070 jmp 00007F6A10989907h 0x00000075 mov eax, dword ptr [esp] 0x00000078 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CEAFBB second address: 0000000002CCF028 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-00001F34h] 0x00000008 push ebp 0x00000009 jmp 00007F6A1096702Fh 0x0000000e mov byte ptr [esp+02h], dh 0x00000012 setl ah 0x00000015 pushfd 0x00000016 xchg dword ptr [esp+08h], ebx 0x0000001a xchg al, bh 0x0000001c pushad 0x0000001d jmp 00007F6A10966FF8h 0x00000022 mov dh, bl 0x00000024 mov bl, byte ptr [esp] 0x00000027 push dword ptr [esp+28h] 0x0000002b retn 002Ch 0x0000002e dec dh 0x00000030 ja 00007F6A10967401h 0x00000036 btr dx, si 0x0000003a call 00007F6A10966DC5h 0x0000003f pushfd 0x00000040 lea edx, dword ptr [edi+50h] 0x00000043 lea ebx, dword ptr [ebp-00002F6Bh] 0x00000049 mov al, cl 0x0000004b jmp 00007F6A10967072h 0x0000004d mov ah, byte ptr [esp] 0x00000050 push sp 0x00000052 lea esp, dword ptr [esp+02h] 0x00000056 cmp ebp, edx 0x00000058 jnp 00007F6A1096708Eh 0x0000005a jmp 00007F6A109670DEh 0x0000005c not al 0x0000005e bswap ebx 0x00000060 ja 00007F6A1094D65Eh 0x00000066 jmp 00007F6A10966E3Ah 0x0000006b movzx ebx, byte ptr [esi] 0x0000006e adc dx, di 0x00000071 jne 00007F6A1096708Eh 0x00000073 call 00007F6A109671D9h 0x00000078 pop edx 0x00000079 mov dx, word ptr [esp] 0x0000007d jmp 00007F6A10966F87h 0x00000082 mov eax, dword ptr [esp] 0x00000085 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CED172 second address: 0000000002CED230 instructions: 0x00000000 rdtsc 0x00000002 xchg bx, dx 0x00000005 pushad 0x00000006 push dword ptr [esp+0Dh] 0x0000000a jmp 00007F6A10989ACAh 0x0000000f jo 00007F6A10989A46h 0x00000011 mov ebx, dword ptr [ebp+00h] 0x00000014 pushfd 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D208E0 second address: 0000000002D2094B instructions: 0x00000000 rdtsc 0x00000002 movzx ebx, byte ptr [esi] 0x00000005 sub esp, 0Ah 0x00000008 jmp 00007F6A10967165h 0x0000000d jl 00007F6A10967025h 0x00000013 xchg dword ptr [esp+01h], eax 0x00000017 pop word ptr [esp] 0x0000001b jmp 00007F6A10967075h 0x0000001d mov dx, word ptr [esp] 0x00000021 mov dh, ah 0x00000023 sub esp, 10h 0x00000026 jmp 00007F6A1096707Eh 0x00000028 lea esp, dword ptr [esp+0Fh] 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CEA8D4 second address: 0000000002CEAA68 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 3A160AC8h 0x00000007 jmp 00007F6A1098AF0Ah 0x0000000c shl ah, 00000005h 0x0000000f je 00007F6A10988839h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c jmp 00007F6A10988833h 0x00000021 mov ebx, dword ptr [esi] 0x00000024 jmp 00007F6A1098991Bh 0x00000029 mov ax, D482h 0x0000002d mov dx, word ptr [esp] 0x00000031 lea edx, dword ptr [esp-00005E22h] 0x00000038 sub esi, 04h 0x0000003b rcl dx, 1 0x0000003e jmp 00007F6A1098998Ch 0x00000043 jne 00007F6A10989A63h 0x00000045 mov edx, 302DC918h 0x0000004a neg ah 0x0000004c btr eax, esi 0x0000004f mov edx, esi 0x00000051 mov dword ptr [edx], ebx 0x00000053 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD0A9F second address: 0000000002CD0AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109672A1h 0x00000007 lea esp, dword ptr [esp+01h] 0x0000000b push dword ptr [esp+20h] 0x0000000f retn 0024h 0x00000012 inc eax 0x00000013 xor dx, 4A5Ch 0x00000018 pop dx 0x0000001a jmp 00007F6A109671A4h 0x0000001f lea esp, dword ptr [esp+02h] 0x00000023 rol bl, 00000000h 0x00000026 xchg dl, al 0x00000028 lea edx, dword ptr [00000000h+eax*4] 0x0000002f not ah 0x00000031 jmp 00007F6A10967073h 0x00000033 btc edx, edx 0x00000036 jbe 00007F6A10967097h 0x00000038 xchg dl, al 0x0000003a jmp 00007F6A109670D1h 0x0000003c dec bl 0x0000003e xchg ax, dx 0x00000040 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE9DB0 second address: 0000000002CE9DF6 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [esp] 0x00000005 push dword ptr [esp+1Ch] 0x00000009 retn 0020h 0x0000000c mov edx, edi 0x0000000e jmp 00007F6A10989ACDh 0x00000013 inc dx 0x00000015 jnle 00007F6A10989A18h 0x00000017 not edx 0x00000019 mov edx, dword ptr [esp] 0x0000001c jmp 00007F6A10989A4Ch 0x0000001e not bl 0x00000020 bt edx, eax 0x00000023 jle 00007F6A10989A11h 0x00000025 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D39BC1 second address: 0000000002D39B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10967061h 0x00000004 mov dword ptr [ebp+00h], ebx 0x00000007 jmp 00007F6A10967095h 0x00000009 bswap edx 0x0000000b mov bx, bp 0x0000000e mov bx, word ptr [esp] 0x00000012 call 00007F6A109670DAh 0x00000017 lea edx, dword ptr [esp+edx] 0x0000001a mov bx, si 0x0000001d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCECF2 second address: 0000000002CCED3A instructions: 0x00000000 rdtsc 0x00000002 setnp bh 0x00000005 btc dx, bx 0x00000009 jmp 00007F6A10989A61h 0x0000000b lea ecx, dword ptr [ecx-00000087h] 0x00000011 mov edx, A9B55FE2h 0x00000016 mov ax, si 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCED3A second address: 0000000002CCED16 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ecx 0x00000005 xchg eax, edx 0x00000006 jmp 00007F6A10967086h 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCED16 second address: 0000000002CCEE1E instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 push dword ptr [esp] 0x00000006 retn 0004h 0x00000009 mov bh, byte ptr [esp] 0x0000000c shr ah, 00000006h 0x0000000f jl 00007F6A10989B89h 0x00000015 cpuid 0x00000017 mov ecx, esi 0x00000019 mov edx, AAC6D270h 0x0000001e xchg eax, ebx 0x0000001f lea eax, dword ptr [ebp+000000F7h] 0x00000025 jmp 00007F6A109899EFh 0x00000027 shr bx, 000Bh 0x0000002b jnp 00007F6A10989A16h 0x0000002d lea eax, dword ptr [00000000h+edx*4] 0x00000034 btc dx, sp 0x00000038 jmp 00007F6A10989BC9h 0x0000003d xchg dh, bh 0x0000003f mov bx, si 0x00000042 mov bx, EE0Ch 0x00000046 jmp 00007F6A1098989Dh 0x0000004b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD5767 second address: 0000000002CD5830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6A109670DCh 0x00000005 pushfd 0x00000006 mov ecx, ebp 0x00000008 bsr bx, dx 0x0000000c jo 00007F6A1096707Fh 0x0000000e mov dx, word ptr [esp] 0x00000012 mov edx, 0D44127Fh 0x00000017 xchg ax, dx 0x00000019 jmp 00007F6A109670C0h 0x0000001b not ebx 0x0000001d push ebp 0x0000001e jmp 00007F6A109670CDh 0x00000020 mov edx, eax 0x00000022 neg dh 0x00000024 jc 00007F6A1096714Fh 0x0000002a jmp 00007F6A10967060h 0x0000002c setb al 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCEC77 second address: 0000000002CCECF2 instructions: 0x00000000 rdtsc 0x00000002 setns dh 0x00000005 jmp 00007F6A10989A02h 0x00000007 cpuid 0x00000009 bsf di, bx 0x0000000d xchg ch, dh 0x0000000f push dword ptr [esp] 0x00000012 retn 0004h 0x00000015 mov esi, dword ptr [esp+2Ch] 0x00000019 clc 0x0000001a jmp 00007F6A10989A71h 0x0000001c jp 00007F6A10989A46h 0x0000001e mov eax, dword ptr [esp] 0x00000021 bswap eax 0x00000023 jmp 00007F6A1098A0F0h 0x00000028 lea ebp, dword ptr [esp] 0x0000002b bsf cx, sp 0x0000002f jg 00007F6A1098936Eh 0x00000035 lea edi, dword ptr [ebp-21h] 0x00000038 call 00007F6A10989DA8h 0x0000003d inc cx 0x0000003f jmp 00007F6A10989727h 0x00000044 jc 00007F6A10989A67h 0x00000046 jnc 00007F6A10989A65h 0x00000048 sub esp, 000000BCh 0x0000004e mov edi, esp 0x00000050 xchg eax, edx 0x00000051 call 00007F6A10989998h 0x00000056 xchg dl, bl 0x00000058 lea ecx, dword ptr [00000000h+ebx*4] 0x0000005f mov ch, byte ptr [esp] 0x00000062 xchg bl, bh 0x00000064 jmp 00007F6A10989A4Eh 0x00000066 xchg dword ptr [esp], ecx 0x00000069 lea ebx, dword ptr [ebp+00004234h] 0x0000006f mov ax, bx 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CCED5F second address: 0000000002CCEE1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A1096712Ah 0x00000004 mov bh, A0h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov dl, 73h 0x0000000b clc 0x0000000c mov ah, 62h 0x0000000e pushfd 0x0000000f jmp 00007F6A10967063h 0x00000011 mov dx, 6B77h 0x00000015 lea ecx, dword ptr [ecx+000000BDh] 0x0000001b rcl bl, cl 0x0000001d mov dh, byte ptr [esp] 0x00000020 sete bh 0x00000023 neg edx 0x00000025 jmp 00007F6A10967086h 0x00000027 xchg dword ptr [esp+04h], ecx 0x0000002b mov dx, word ptr [esp] 0x0000002f sub esp, 0Ah 0x00000032 jmp 00007F6A109670D1h 0x00000034 lea edx, dword ptr [esp+00003586h] 0x0000003b call 00007F6A109670BFh 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 push dword ptr [esp+10h] 0x00000048 retn 0014h 0x0000004b mov ecx, esi 0x0000004d mov edx, AAC6D270h 0x00000052 xchg eax, ebx 0x00000053 lea eax, dword ptr [ebp+000000F7h] 0x00000059 jmp 00007F6A1096706Fh 0x0000005b shr bx, 000Bh 0x0000005f jnp 00007F6A10967096h 0x00000061 lea eax, dword ptr [00000000h+edx*4] 0x00000068 btc dx, sp 0x0000006c jmp 00007F6A10967249h 0x00000071 xchg dh, bh 0x00000073 mov bx, si 0x00000076 mov bx, EE0Ch 0x0000007a jmp 00007F6A10966F1Dh 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC5830 second address: 0000000002CC592B instructions: 0x00000000 rdtsc 0x00000002 rol ebp, 00000000h 0x00000005 jmp 00007F6A109899F6h 0x00000007 jl 00007F6A10989A46h 0x00000009 bt ebx, eax 0x0000000c mov bl, byte ptr [esp] 0x0000000f bswap edx 0x00000011 mov ax, word ptr [esp] 0x00000015 mov dl, 43h 0x00000017 mov ax, 8824h 0x0000001b clc 0x0000001c jmp 00007F6A10989B7Eh 0x00000021 jc 00007F6A10989965h 0x00000027 jnc 00007F6A1098995Fh 0x0000002d lea esp, dword ptr [esp+04h] 0x00000031 neg ebp 0x00000033 mov bh, byte ptr [esp] 0x00000036 rol al, 00000007h 0x00000039 jmp 00007F6A10989A8Bh 0x0000003b jne 00007F6A10989A4Dh 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC7AB0 second address: 0000000002CC7AB4 instructions: 0x00000000 rdtsc 0x00000002 xchg ah, dh 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD3D27 second address: 0000000002CD3EB2 instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007F6A109899D1h 0x00000007 pushfd 0x00000008 push dword ptr [esp+04h] 0x0000000c retn 0008h 0x0000000f lea esp, dword ptr [esp+03h] 0x00000013 jmp 00007F6A10989ABFh 0x00000018 add esi, 04h 0x0000001b mov ax, word ptr [esp] 0x0000001f setb dh 0x00000022 xchg dl, ah 0x00000024 jmp 00007F6A109899EDh 0x00000026 push edi 0x00000027 mov ah, byte ptr [esp] 0x0000002a xchg edi, eax 0x0000002c push ecx 0x0000002d jmp 00007F6A10989A36h 0x0000002f push esi 0x00000030 xchg bl, al 0x00000032 dec bh 0x00000034 jp 00007F6A10989AAEh 0x00000036 mov ecx, ebx 0x00000038 jmp 00007F6A10989A94h 0x0000003a mov ah, byte ptr [esp] 0x0000003d mov dx, 5C02h 0x00000041 xor dx, 3A64h 0x00000046 jmp 00007F6A10989D77h 0x0000004b jbe 00007F6A10989A9Bh 0x0000004d jnbe 00007F6A10989A99h 0x0000004f push esi 0x00000050 mov esi, 54CE0987h 0x00000055 xor bl, ch 0x00000057 jbe 00007F6A10989853h 0x0000005d ja 00007F6A1098984Dh 0x00000063 call 00007F6A109899B4h 0x00000068 pop edi 0x00000069 jmp 00007F6A109898FBh 0x0000006e lea edi, dword ptr [00000000h+eax*4] 0x00000075 lea eax, dword ptr [00000000h+esi*4] 0x0000007c setle al 0x0000007f inc al 0x00000081 js 00007F6A109899FEh 0x00000083 jns 00007F6A109899FCh 0x00000085 jmp 00007F6A10989B51h 0x0000008a pop edi 0x0000008b mov edx, 9C6E709Dh 0x00000090 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBFAF6 second address: 0000000002CBFCBF instructions: 0x00000000 rdtsc 0x00000002 pop dx 0x00000004 jmp 00007F6A109670E8h 0x00000006 xchg eax, edx 0x00000007 dec ax 0x00000009 jno 00007F6A10967097h 0x0000000b xchg al, ah 0x0000000d mov ax, bp 0x00000010 lea esp, dword ptr [esp+02h] 0x00000014 jmp 00007F6A109670C6h 0x00000016 add bl, 00000011h 0x00000019 mov ax, 9BD1h 0x0000001d mov eax, EC020B0Fh 0x00000022 mov al, byte ptr [esp] 0x00000025 xchg al, ah 0x00000027 jmp 00007F6A1096721Dh 0x0000002c lea edx, dword ptr [ebx-000000E2h] 0x00000032 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBFCBF second address: 0000000002CBFBA8 instructions: 0x00000000 rdtsc 0x00000002 dec bl 0x00000004 mov dl, 6Ah 0x00000006 lea edx, dword ptr [00000000h+eax*4] 0x0000000d jmp 00007F6A1098990Ch 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D108B3 second address: 0000000002D1092A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109670D0h 0x00000004 sub ebp, 02h 0x00000007 neg ah 0x00000009 jmp 00007F6A109670FEh 0x0000000b jo 00007F6A10967068h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1092A second address: 0000000002D1094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109899E6h 0x00000004 movzx ebx, byte ptr [esi] 0x00000007 sub esp, 0Ah 0x0000000a jmp 00007F6A10989AE5h 0x0000000f jl 00007F6A109899A5h 0x00000015 xchg dword ptr [esp+01h], eax 0x00000019 pop word ptr [esp] 0x0000001d jmp 00007F6A109899F5h 0x0000001f mov dx, word ptr [esp] 0x00000023 mov dh, ah 0x00000025 sub esp, 10h 0x00000028 jmp 00007F6A109899FEh 0x0000002a lea esp, dword ptr [esp+0Fh] 0x0000002e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CDF002 second address: 0000000002CDF00A instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [edi-6350673Ch] 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CDF00A second address: 0000000002CDEDBB instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jns 00007F6A10989825h 0x0000000a jmp 00007F6A109899DAh 0x0000000c mov ebx, esi 0x0000000e mov edx, dword ptr [ebx] 0x00000010 mov ah, al 0x00000012 mov eax, dword ptr [esp] 0x00000015 jmp 00007F6A109899CCh 0x00000017 mov bl, byte ptr [esi+04h] 0x0000001a clc 0x0000001b jc 00007F6A10989A16h 0x0000001d mov ah, byte ptr [esp] 0x00000020 jmp 00007F6A10989A14h 0x00000022 call 00007F6A10989A6Bh 0x00000027 mov dword ptr [esp], eax 0x0000002a jmp 00007F6A10989A10h 0x0000002c sub esi, 02h 0x0000002f mov eax, 22755878h 0x00000034 mov ax, 5CECh 0x00000038 mov ah, cl 0x0000003a jmp 00007F6A10989A5Ah 0x0000003c xchg ebx, ecx 0x0000003e lea eax, dword ptr [eax+edi] 0x00000041 lea eax, dword ptr [00000000h+eax*4] 0x00000048 mov ah, byte ptr [esp] 0x0000004b jmp 00007F6A10989A0Bh 0x0000004d shl edx, cl 0x0000004f lea eax, dword ptr [00000000h+edx*4] 0x00000056 push bp 0x00000058 mov byte ptr [esp], bl 0x0000005b jmp 00007F6A10989A73h 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 xchg ebx, ecx 0x00000063 mov eax, esp 0x00000065 xchg al, ah 0x00000067 lea eax, dword ptr [ebx-000082EAh] 0x0000006d jmp 00007F6A10989A08h 0x0000006f mov dword ptr [esi+04h], edx 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9DA4 second address: 0000000002CD9DF6 instructions: 0x00000000 rdtsc 0x00000002 dec ebp 0x00000003 jmp 00007F6A10967033h 0x00000005 mov ax, word ptr [esp] 0x00000009 btc dx, si 0x0000000d jmp 00007F6A109670F8h 0x0000000f jnbe 00007F6A1096706Eh 0x00000011 mov ah, byte ptr [esp] 0x00000014 lea edx, dword ptr [00000000h+eax*4] 0x0000001b mov eax, dword ptr [esp] 0x0000001e add dx, 7A10h 0x00000023 not ah 0x00000025 mov edx, edi 0x00000027 jmp 00007F6A1096714Dh 0x0000002c inc dx 0x0000002e jnle 00007F6A10967098h 0x00000030 not edx 0x00000032 mov edx, dword ptr [esp] 0x00000035 jmp 00007F6A109670CCh 0x00000037 not bl 0x00000039 bt edx, eax 0x0000003c jle 00007F6A10967091h 0x0000003e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9DF6 second address: 0000000002CD9EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10989AB9h 0x00000007 setnle dl 0x0000000a setns dl 0x0000000d cmp edx, esi 0x0000000f jmp 00007F6A10989A00h 0x00000011 mov edx, dword ptr [esp] 0x00000014 neg bl 0x00000016 bswap edx 0x00000018 rcl eax, 07h 0x0000001b jmp 00007F6A10989A36h 0x0000001d jnbe 00007F6A10989A0Ah 0x0000001f mov ax, word ptr [esp] 0x00000023 shl edx, 19h 0x00000026 jmp 00007F6A10989A65h 0x00000028 mov edx, dword ptr [esp] 0x0000002b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD4149 second address: 0000000002CD41B4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A1096710Ah 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a mov bx, bp 0x0000000d jmp 00007F6A10967094h 0x0000000f lea ebx, dword ptr [esi-0000FFF0h] 0x00000015 xchg dword ptr [esp], edi 0x00000018 mov eax, 56ACE388h 0x0000001d jmp 00007F6A109670D6h 0x0000001f mov dx, bx 0x00000022 lea edi, dword ptr [edi+23h] 0x00000025 mov al, 71h 0x00000027 not ebx 0x00000029 sub esp, 18h 0x0000002c add esp, 15h 0x0000002f jmp 00007F6A1096708Ah 0x00000031 lea esp, dword ptr [esp+03h] 0x00000035 xchg dword ptr [esp], edi 0x00000038 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD41B4 second address: 0000000002CC5830 instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 mov ebx, ecx 0x00000005 mov edx, esp 0x00000007 jmp 00007F6A10989B35h 0x0000000c push dword ptr [esp] 0x0000000f retn 0004h 0x00000012 call 00007F6A10989A18h 0x00000017 pop ax 0x00000019 lea esp, dword ptr [esp+02h] 0x0000001d jmp 00007F6A10989AD4h 0x00000022 mov ebp, dword ptr [esi] 0x00000024 bswap ebx 0x00000026 neg dx 0x00000029 jnle 00007F6A10989A13h 0x0000002b shl bh, 00000000h 0x0000002e mov edx, esi 0x00000030 jmp 00007F6A10989A62h 0x00000032 add esi, 04h 0x00000035 dec bx 0x00000037 jnbe 00007F6A10989A15h 0x00000039 lea ebx, dword ptr [05B59A4Ah] 0x0000003f call 00007F6A10989A53h 0x00000044 jmp 00007F6A1097AF8Eh 0x00000049 mov ecx, ebp 0x0000004b bsr bx, dx 0x0000004f jo 00007F6A109899FFh 0x00000051 mov dx, word ptr [esp] 0x00000055 mov edx, 0D44127Fh 0x0000005a xchg ax, dx 0x0000005c jmp 00007F6A10989A40h 0x0000005e not ebx 0x00000060 push ebp 0x00000061 jmp 00007F6A10989A4Dh 0x00000063 mov edx, eax 0x00000065 neg dh 0x00000067 jc 00007F6A10989ACFh 0x0000006d jmp 00007F6A109899E0h 0x0000006f setb al 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD0342 second address: 0000000002CD0373 instructions: 0x00000000 rdtsc 0x00000002 xchg bl, dl 0x00000004 clc 0x00000005 jo 00007F6A109670C7h 0x00000007 jno 00007F6A109670C5h 0x00000009 push ebp 0x0000000a jmp 00007F6A109670B6h 0x0000000c lea ebp, dword ptr [ebx+000000F6h] 0x00000012 lea ecx, dword ptr [edx-6BD77D8Ah] 0x00000018 mov ebx, edi 0x0000001a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9D23 second address: 0000000002CD9DF6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6A109899DFh 0x00000007 mov dl, CCh 0x00000009 mov eax, dword ptr [esp] 0x0000000c mov eax, dword ptr [esp] 0x0000000f lea edx, dword ptr [esp+ebp] 0x00000012 jmp 00007F6A10989A0Fh 0x00000014 xchg dword ptr [esp], ebp 0x00000017 sub esp, 0Eh 0x0000001a stc 0x0000001b call 00007F6A10989A62h 0x00000020 lea eax, dword ptr [esp+eax] 0x00000023 push dword ptr [esp+11h] 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007F6A10989A0Fh 0x0000002d lea ebp, dword ptr [ebp+7Ch] 0x00000030 push sp 0x00000032 rcl eax, cl 0x00000034 mov dh, byte ptr [esp] 0x00000037 xchg dh, dl 0x00000039 lea esp, dword ptr [esp+02h] 0x0000003d jmp 00007F6A10989A43h 0x0000003f xchg dword ptr [esp+14h], ebp 0x00000043 mov dl, byte ptr [esp] 0x00000046 xchg dh, dl 0x00000048 mov ah, 8Dh 0x0000004a push dword ptr [esp+14h] 0x0000004e retn 0018h 0x00000051 dec ebp 0x00000052 jmp 00007F6A109899B3h 0x00000054 mov ax, word ptr [esp] 0x00000058 btc dx, si 0x0000005c jmp 00007F6A10989A78h 0x0000005e jnbe 00007F6A109899EEh 0x00000060 mov ah, byte ptr [esp] 0x00000063 lea edx, dword ptr [00000000h+eax*4] 0x0000006a mov eax, dword ptr [esp] 0x0000006d add dx, 7A10h 0x00000072 not ah 0x00000074 mov edx, edi 0x00000076 jmp 00007F6A10989ACDh 0x0000007b inc dx 0x0000007d jnle 00007F6A10989A18h 0x0000007f not edx 0x00000081 mov edx, dword ptr [esp] 0x00000084 jmp 00007F6A10989A4Ch 0x00000086 not bl 0x00000088 bt edx, eax 0x0000008b jle 00007F6A10989A11h 0x0000008d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9027 second address: 0000000002CD9124 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+esi*4] 0x00000009 xchg dword ptr [esp+18h], ecx 0x0000000d xchg dh, ah 0x0000000f dec ah 0x00000011 call 00007F6A10967083h 0x00000016 lea esp, dword ptr [esp+02h] 0x0000001a jmp 00007F6A109670F4h 0x0000001c lea esp, dword ptr [esp+02h] 0x00000020 push dword ptr [esp+18h] 0x00000024 retn 001Ch 0x00000027 mov ebx, dword ptr [ebp+00h] 0x0000002a bt dx, sp 0x0000002e jnc 00007F6A10967104h 0x00000030 and edx, FD9B4CC2h 0x00000036 bsr ax, si 0x0000003a lea eax, dword ptr [edx+ebp] 0x0000003d jmp 00007F6A109670F0h 0x0000003f mov dl, byte ptr [ebp+04h] 0x00000042 lea eax, dword ptr [00000000h+eax*4] 0x00000049 mov eax, esi 0x0000004b sub ebp, 02h 0x0000004e jmp 00007F6A1096722Eh 0x00000053 shr eax, cl 0x00000055 jc 00007F6A10967032h 0x00000057 bt ax, si 0x0000005b ror ah, cl 0x0000005d and ax, ax 0x00000060 jmp 00007F6A10966F7Fh 0x00000065 xchg edx, ecx 0x00000067 not ax 0x0000006a jmp 00007F6A1096707Eh 0x0000006c shl ebx, cl 0x0000006e not eax 0x00000070 mov al, byte ptr [esp] 0x00000073 mov ax, word ptr [esp] 0x00000077 xchg edx, ecx 0x00000079 jmp 00007F6A109670B6h 0x0000007b mov ax, 3D73h 0x0000007f jmp 00007F6A10967120h 0x00000081 mov dword ptr [ebp+04h], ebx 0x00000084 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9124 second address: 0000000002CBF028 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ecx+ecx] 0x00000005 xchg dl, ah 0x00000007 setbe al 0x0000000a jmp 00007F6A109899E6h 0x0000000c pushfd 0x0000000d pop dword ptr [ebp+00h] 0x00000010 lea eax, dword ptr [00000000h+eax*4] 0x00000017 mov ebx, dword ptr [esp] 0x0000001a jmp 00007F6A10989A0Ch 0x0000001c lea ebx, dword ptr [ecx+000000BAh] 0x00000022 mov dx, word ptr [esp] 0x00000026 jmp 00007F6A10989A62h 0x00000028 mov dx, di 0x0000002b mov bl, CCh 0x0000002d sub esp, 13h 0x00000030 jnc 00007F6A10989A12h 0x00000032 jmp 00007F6A10989A82h 0x00000034 push word ptr [esp+0Dh] 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea edx, dword ptr [edi+50h] 0x00000040 lea ebx, dword ptr [edi+17h] 0x00000043 push ax 0x00000045 mov ebx, eax 0x00000047 jmp 00007F6A10989A8Dh 0x00000049 mov ax, 1BE3h 0x0000004d lea esp, dword ptr [esp+02h] 0x00000051 cmp ebp, edx 0x00000053 ja 00007F6A1096FB22h 0x00000059 jmp 00007F6A109897BAh 0x0000005e movzx ebx, byte ptr [esi] 0x00000061 adc dx, di 0x00000064 jne 00007F6A10989A0Eh 0x00000066 call 00007F6A10989B59h 0x0000006b pop edx 0x0000006c mov dx, word ptr [esp] 0x00000070 jmp 00007F6A10989907h 0x00000075 mov eax, dword ptr [esp] 0x00000078 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CDAFBB second address: 0000000002CBF028 instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [ebx-00001F34h] 0x00000008 push ebp 0x00000009 jmp 00007F6A1096702Fh 0x0000000e mov byte ptr [esp+02h], dh 0x00000012 setl ah 0x00000015 pushfd 0x00000016 xchg dword ptr [esp+08h], ebx 0x0000001a xchg al, bh 0x0000001c pushad 0x0000001d jmp 00007F6A10966FF8h 0x00000022 mov dh, bl 0x00000024 mov bl, byte ptr [esp] 0x00000027 push dword ptr [esp+28h] 0x0000002b retn 002Ch 0x0000002e dec dh 0x00000030 ja 00007F6A10967401h 0x00000036 btr dx, si 0x0000003a call 00007F6A10966DC5h 0x0000003f pushfd 0x00000040 lea edx, dword ptr [edi+50h] 0x00000043 lea ebx, dword ptr [ebp-00002F6Bh] 0x00000049 mov al, cl 0x0000004b jmp 00007F6A10967072h 0x0000004d mov ah, byte ptr [esp] 0x00000050 push sp 0x00000052 lea esp, dword ptr [esp+02h] 0x00000056 cmp ebp, edx 0x00000058 jnp 00007F6A1096708Eh 0x0000005a jmp 00007F6A109670DEh 0x0000005c not al 0x0000005e bswap ebx 0x00000060 ja 00007F6A1094D65Eh 0x00000066 jmp 00007F6A10966E3Ah 0x0000006b movzx ebx, byte ptr [esi] 0x0000006e adc dx, di 0x00000071 jne 00007F6A1096708Eh 0x00000073 call 00007F6A109671D9h 0x00000078 pop edx 0x00000079 mov dx, word ptr [esp] 0x0000007d jmp 00007F6A10966F87h 0x00000082 mov eax, dword ptr [esp] 0x00000085 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CDD172 second address: 0000000002CDD230 instructions: 0x00000000 rdtsc 0x00000002 xchg bx, dx 0x00000005 pushad 0x00000006 push dword ptr [esp+0Dh] 0x0000000a jmp 00007F6A10989ACAh 0x0000000f jo 00007F6A10989A46h 0x00000011 mov ebx, dword ptr [ebp+00h] 0x00000014 pushfd 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CDA8D4 second address: 0000000002CDAA68 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 3A160AC8h 0x00000007 jmp 00007F6A1096858Ah 0x0000000c shl ah, 00000005h 0x0000000f je 00007F6A10965EB9h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c mov ebx, dword ptr [esi] 0x0000001f jmp 00007F6A10966F9Bh 0x00000024 mov ax, D482h 0x00000028 mov dx, word ptr [esp] 0x0000002c lea edx, dword ptr [esp-00005E22h] 0x00000033 sub esi, 04h 0x00000036 rcl dx, 1 0x00000039 jmp 00007F6A1096700Ch 0x0000003e jne 00007F6A109670E3h 0x00000040 mov edx, 302DC918h 0x00000045 neg ah 0x00000047 btr eax, esi 0x0000004a mov edx, esi 0x0000004c mov dword ptr [edx], ebx 0x0000004e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D108E0 second address: 0000000002D1094B instructions: 0x00000000 rdtsc 0x00000002 movzx ebx, byte ptr [esi] 0x00000005 sub esp, 0Ah 0x00000008 jmp 00007F6A10989AE5h 0x0000000d jl 00007F6A109899A5h 0x00000013 xchg dword ptr [esp+01h], eax 0x00000017 pop word ptr [esp] 0x0000001b jmp 00007F6A109899F5h 0x0000001d mov dx, word ptr [esp] 0x00000021 mov dh, ah 0x00000023 sub esp, 10h 0x00000026 jmp 00007F6A109899FEh 0x00000028 lea esp, dword ptr [esp+0Fh] 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC0A9F second address: 0000000002CC0AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109672A1h 0x00000007 lea esp, dword ptr [esp+01h] 0x0000000b push dword ptr [esp+20h] 0x0000000f retn 0024h 0x00000012 inc eax 0x00000013 xor dx, 4A5Ch 0x00000018 pop dx 0x0000001a jmp 00007F6A109671A4h 0x0000001f lea esp, dword ptr [esp+02h] 0x00000023 rol bl, 00000000h 0x00000026 xchg dl, al 0x00000028 lea edx, dword ptr [00000000h+eax*4] 0x0000002f not ah 0x00000031 jmp 00007F6A10967073h 0x00000033 btc edx, edx 0x00000036 jbe 00007F6A10967097h 0x00000038 xchg dl, al 0x0000003a jmp 00007F6A109670D1h 0x0000003c dec bl 0x0000003e xchg ax, dx 0x00000040 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CD9DB0 second address: 0000000002CD9DF6 instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [esp] 0x00000005 push dword ptr [esp+1Ch] 0x00000009 retn 0020h 0x0000000c mov edx, edi 0x0000000e jmp 00007F6A10989ACDh 0x00000013 inc dx 0x00000015 jnle 00007F6A10989A18h 0x00000017 not edx 0x00000019 mov edx, dword ptr [esp] 0x0000001c jmp 00007F6A10989A4Ch 0x0000001e not bl 0x00000020 bt edx, eax 0x00000023 jle 00007F6A10989A11h 0x00000025 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D29BC1 second address: 0000000002D29B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10967061h 0x00000004 mov dword ptr [ebp+00h], ebx 0x00000007 jmp 00007F6A10967095h 0x00000009 bswap edx 0x0000000b mov bx, bp 0x0000000e mov bx, word ptr [esp] 0x00000012 call 00007F6A109670DAh 0x00000017 lea edx, dword ptr [esp+edx] 0x0000001a mov bx, si 0x0000001d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBECF2 second address: 0000000002CBED3A instructions: 0x00000000 rdtsc 0x00000002 setnp bh 0x00000005 btc dx, bx 0x00000009 jmp 00007F6A10989A61h 0x0000000b lea ecx, dword ptr [ecx-00000087h] 0x00000011 mov edx, A9B55FE2h 0x00000016 mov ax, si 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBED3A second address: 0000000002CBED16 instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ecx 0x00000005 xchg eax, edx 0x00000006 jmp 00007F6A10967086h 0x00000008 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBED16 second address: 0000000002CBEE1E instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 push dword ptr [esp] 0x00000006 retn 0004h 0x00000009 mov bh, byte ptr [esp] 0x0000000c shr ah, 00000006h 0x0000000f jl 00007F6A10989B89h 0x00000015 cpuid 0x00000017 mov ecx, esi 0x00000019 mov edx, AAC6D270h 0x0000001e xchg eax, ebx 0x0000001f lea eax, dword ptr [ebp+000000F7h] 0x00000025 jmp 00007F6A109899EFh 0x00000027 shr bx, 000Bh 0x0000002b jnp 00007F6A10989A16h 0x0000002d lea eax, dword ptr [00000000h+edx*4] 0x00000034 btc dx, sp 0x00000038 jmp 00007F6A10989BC9h 0x0000003d xchg dh, bh 0x0000003f mov bx, si 0x00000042 mov bx, EE0Ch 0x00000046 jmp 00007F6A1098989Dh 0x0000004b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CC5767 second address: 0000000002CC5830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6A109670DCh 0x00000005 pushfd 0x00000006 mov ecx, ebp 0x00000008 bsr bx, dx 0x0000000c jo 00007F6A1096707Fh 0x0000000e mov dx, word ptr [esp] 0x00000012 mov edx, 0D44127Fh 0x00000017 xchg ax, dx 0x00000019 jmp 00007F6A109670C0h 0x0000001b not ebx 0x0000001d push ebp 0x0000001e jmp 00007F6A109670CDh 0x00000020 mov edx, eax 0x00000022 neg dh 0x00000024 jc 00007F6A1096714Fh 0x0000002a jmp 00007F6A10967060h 0x0000002c setb al 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBEC77 second address: 0000000002CBECF2 instructions: 0x00000000 rdtsc 0x00000002 setns dh 0x00000005 jmp 00007F6A10989A02h 0x00000007 cpuid 0x00000009 bsf di, bx 0x0000000d xchg ch, dh 0x0000000f push dword ptr [esp] 0x00000012 retn 0004h 0x00000015 mov esi, dword ptr [esp+2Ch] 0x00000019 clc 0x0000001a jmp 00007F6A10989A71h 0x0000001c jp 00007F6A10989A46h 0x0000001e mov eax, dword ptr [esp] 0x00000021 bswap eax 0x00000023 jmp 00007F6A1098A0F0h 0x00000028 lea ebp, dword ptr [esp] 0x0000002b bsf cx, sp 0x0000002f jg 00007F6A1098936Eh 0x00000035 lea edi, dword ptr [ebp-21h] 0x00000038 call 00007F6A10989DA8h 0x0000003d inc cx 0x0000003f jmp 00007F6A10989727h 0x00000044 jc 00007F6A10989A67h 0x00000046 jnc 00007F6A10989A65h 0x00000048 sub esp, 000000BCh 0x0000004e mov edi, esp 0x00000050 xchg eax, edx 0x00000051 call 00007F6A10989998h 0x00000056 xchg dl, bl 0x00000058 lea ecx, dword ptr [00000000h+ebx*4] 0x0000005f mov ch, byte ptr [esp] 0x00000062 xchg bl, bh 0x00000064 jmp 00007F6A10989A4Eh 0x00000066 xchg dword ptr [esp], ecx 0x00000069 lea ebx, dword ptr [ebp+00004234h] 0x0000006f mov ax, bx 0x00000072 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CBED5F second address: 0000000002CBEE1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A1096712Ah 0x00000004 mov bh, A0h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov dl, 73h 0x0000000b clc 0x0000000c mov ah, 62h 0x0000000e pushfd 0x0000000f jmp 00007F6A10967063h 0x00000011 mov dx, 6B77h 0x00000015 lea ecx, dword ptr [ecx+000000BDh] 0x0000001b rcl bl, cl 0x0000001d mov dh, byte ptr [esp] 0x00000020 sete bh 0x00000023 neg edx 0x00000025 jmp 00007F6A10967086h 0x00000027 xchg dword ptr [esp+04h], ecx 0x0000002b mov dx, word ptr [esp] 0x0000002f sub esp, 0Ah 0x00000032 jmp 00007F6A109670D1h 0x00000034 lea edx, dword ptr [esp+00003586h] 0x0000003b call 00007F6A109670BFh 0x00000040 lea esp, dword ptr [esp+02h] 0x00000044 push dword ptr [esp+10h] 0x00000048 retn 0014h 0x0000004b mov ecx, esi 0x0000004d mov edx, AAC6D270h 0x00000052 xchg eax, ebx 0x00000053 lea eax, dword ptr [ebp+000000F7h] 0x00000059 jmp 00007F6A1096706Fh 0x0000005b shr bx, 000Bh 0x0000005f jnp 00007F6A10967096h 0x00000061 lea eax, dword ptr [00000000h+edx*4] 0x00000068 btc dx, sp 0x0000006c jmp 00007F6A10967249h 0x00000071 xchg dh, bh 0x00000073 mov bx, si 0x00000076 mov bx, EE0Ch 0x0000007a jmp 00007F6A10966F1Dh 0x0000007f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D20D07 second address: 0000000002D20D09 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CF89DA second address: 0000000002CF8A0D instructions: 0x00000000 rdtsc 0x00000002 mov al, 1Bh 0x00000004 jmp 00007F6A109670D3h 0x00000006 mov eax, esi 0x00000008 mov word ptr [eax], bx 0x0000000b mov edx, 5B70B88Ch 0x00000010 mov dl, cl 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D10D07 second address: 0000000002D10D09 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002CE89DA second address: 0000000002CE8A0D instructions: 0x00000000 rdtsc 0x00000002 mov al, 1Bh 0x00000004 jmp 00007F6A109670D3h 0x00000006 mov eax, esi 0x00000008 mov word ptr [eax], bx 0x0000000b mov edx, 5B70B88Ch 0x00000010 mov dl, cl 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D9BD16 second address: 0000000002D9BCB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A109899C9h 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D8BD16 second address: 0000000002D8BCB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6A10967049h 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 2312Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 4980Thread sleep count: 99 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 4144Thread sleep count: 123 > 30Jump to behavior
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB6D2.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB606.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB578.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 8BF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 8CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: abd1 .exe, 0000000E.00000002.504207497.000000000090D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly~
                Source: abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: abd1 .exe, 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: abd1 .exe, 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ProgmanU
                Source: abd1 .exe, 00000003.00000002.611192393.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.438355433.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.584990480.0000000004F01000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		1
                Registry Run Keys / Startup Folder                		2
                Process Injection                		21
                Masquerading                		1
                Credential API Hooking                		321
                Security Software Discovery                		1
                Replication Through Removable Media                		1
                Credential API Hooking                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		21
                Input Capture                		13
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol21
                Input Capture                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                DLL Side-Loading                		13
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Process Injection                		NTDS11
                Peripheral Device Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information                		Cached Domain Credentials122
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                File Deletion                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rPEDIDOS-10032023-X491kkum.msi30%VirustotalBrowse
                rPEDIDOS-10032023-X491kkum.msi26%ReversingLabsWin32.Trojan.Razy

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WebUI.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WebUI.dll36%ReversingLabsWin32.Trojan.Razy
                C:\Users\user\AppData\Roaming\abd1 .exe0%ReversingLabs
                C:\Windows\Installer\MSIB3E1.tmp0%ReversingLabs
                C:\Windows\Installer\MSIB578.tmp0%ReversingLabs
                C:\Windows\Installer\MSIB606.tmp0%ReversingLabs
                C:\Windows\Installer\MSIB6D2.tmp0%ReversingLabs
                C:\Windows\Installer\MSIB76F.tmp0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                13.2.abd1 .exe.400000.0.unpack100%AviraHEUR/AGEN.1204765Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.indyproject.org/0%URL Reputationsafe
                http://stats.itopvpn.com/iusage.php0%Avira URL Cloudsafe
                http://www.indyproject.org/Original0%Avira URL Cloudsafe
                http://stats.itopvpn.com/iusage.php0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                telemarketin-ru.1gb.ru
                		81.176.228.4
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://telemarketin-ru.1gb.ru/pedro/inspecionando.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://stats.itopvpn.com/iusage.phpabd1 .exe, 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://telemarketin-ru.1gb.ru/pedro/inspecionando.php-Xabd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://telemarketin-ru.1gb.ru/pedro/inspecionando.phpCC:abd1 .exe, 0000000E.00000002.504207497.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://telemarketin-ru.1gb.ru/pedro/inspecionando.php0Zabd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.indyproject.org/Originalabd1 .exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://telemarketin-ru.1gb.ru/pedro/inspecionando.php(Zabd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://telemarketin-ru.1gb.ru/pedro/inspecionando.phputllib.dll.DLLabd1 .exe, 0000000D.00000002.500278437.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.503469245.0000000000195000.00000004.00000010.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/envelope/abd1 .exe, 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://telemarketin-ru.1gb.ru/pedro/inspecionando.php2?Zabd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://telemarketin-ru.1gb.ru/pedro/inspecionando.php=Zabd1 .exe, 0000000E.00000002.504207497.0000000000916000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://telemarketin-ru.1gb.ru/pedro/inspecionando.php?Zabd1 .exe, 0000000E.00000002.504207497.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.indyproject.org/abd1 .exe, abd1 .exe, 00000003.00000002.595147718.0000000000F1F000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.588489150.000000000511F000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.502129000.0000000000F3B000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000E.00000002.588364426.000000000513F000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.505849205.0000000000F2F000.00000040.00000001.01000000.00000004.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      15.228.77.178
                                      		unknownUnited States
                                      		16509AMAZON-02USfalse
                                      81.176.228.4
                                      		telemarketin-ru.1gb.ruRussian Federation
                                      		8342RTCOMM-ASRUfalse

                                      General Information

                                      Joe Sandbox Version:37.0.0 Beryl
                                      Analysis ID:825345
                                      Start date and time:2023-03-13 12:42:27 +01:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 11m 40s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:17
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample file name:rPEDIDOS-10032023-X491kkum.msi
                                      Detection:MAL
                                      Classification:mal76.evad.winMSI@8/27@1/2
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 79%
                                      • Number of executed functions: 11
                                      • Number of non-executed functions: 17
                                      Cookbook Comments:
                                      • Found application associated with file extension: .msi

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                                      • Execution Graph export aborted for target abd1 .exe, PID 972 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      12:44:09API Interceptor1x Sleep call for process: abd1 .exe modified
                                      12:44:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
                                      12:44:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      15.228.77.178z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                        z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                          PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                                            Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                                              __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                  rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                    Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                      rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                        81.176.228.4PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                                                        • adrelalinapu-ru.1gb.ru/pedro/inspecionando.php
                                                        Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                                                        • adrelalinapu-ru.1gb.ru/pedro/inspecionando.php
                                                        rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                        • adrelalinapu-ru.1gb.ru/pedro/inspecionando.php
                                                        Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                        • adrelalinapu-ru.1gb.ru/pedro/inspecionando.php
                                                        rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                        • adrelalinapu-ru.1gb.ru/pedro/inspecionando.php
                                                        http://monte24s.1gb.ru/redir/Get hashmaliciousUnknownBrowse
                                                        • monte24s.1gb.ru/redir/

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-02UShttps://idhelp23049215812893444.web.app/Get hashmaliciousUnknownBrowse
                                                        • 18.185.166.222
                                                        PO-230803-S00.exeGet hashmaliciousFormBookBrowse
                                                        • 3.69.136.55
                                                        https://awholelevelkpo.s3.us-east-2.amazonaws.com/index.htmlGet hashmaliciousUnknownBrowse
                                                        • 52.219.107.10
                                                        qtXuN5sDix.rtfGet hashmaliciousRemcos, FormBookBrowse
                                                        • 18.190.160.39
                                                        https://www.msn.com/pt-pt/noticias/other/greve-de-maquinistas-cp-antecipa-especial-impacto-na-sexta-feira/ar-AA18pim3?ocid=entnewsntp&cvid=5309aaea6b164ccbb2cf47bd8a788782&ei=13Get hashmaliciousUnknownBrowse
                                                        • 3.66.118.193
                                                        trttrabalhodocseis.msiGet hashmaliciousUnknownBrowse
                                                        • 52.218.220.1
                                                        hua.apkGet hashmaliciousUnknownBrowse
                                                        • 13.228.23.243
                                                        hua.apkGet hashmaliciousUnknownBrowse
                                                        • 13.228.23.243
                                                        quotation.doc23.exeGet hashmaliciousFormBookBrowse
                                                        • 3.13.31.214
                                                        SATIN_ALMA_EMR#U0130.exeGet hashmaliciousFormBookBrowse
                                                        • 3.64.163.50
                                                        http://47.87.201.129:71/sdjdshdgdsdsfsfausjashsaggsafsfaa.x86Get hashmaliciousUnknownBrowse
                                                        • 54.149.38.208
                                                        php.iniGet hashmaliciousUnknownBrowse
                                                        • 3.64.163.50
                                                        https://links.info.tjx.com/ctt?m=17231935&rnxghs=MjY0MDEyMzU5MzU0S0&b=0&j=MTc4MTczNTAyNwS2&k=Portal%20URL&kx=1&kt=12&kd=https://vegasvalleypainting.com%2F%2F%2F%2F/password/%2F%2F%2F%2Fverification/mhbsptk%2F%2F%2F%2Ftest.user@outlook.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.224.189.7
                                                        Ro7iDwFIKA.exeGet hashmaliciousFormBookBrowse
                                                        • 3.64.163.50
                                                        brbrbr.x86.elfGet hashmaliciousMiraiBrowse
                                                        • 54.254.156.142
                                                        http://www.gourmethousemacau.com/Get hashmaliciousUnknownBrowse
                                                        • 65.9.25.112
                                                        https://filezilla-project.org/download.php?type=clientGet hashmaliciousUnknownBrowse
                                                        • 15.236.125.10
                                                        Invoice_INV14424_1678402727793.htmlGet hashmaliciousUnknownBrowse
                                                        • 176.34.148.185
                                                        SXhGoQgHFE.rtfGet hashmaliciousRemcos, FormBookBrowse
                                                        • 18.190.160.39
                                                        zvsq4yR8XC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 75.2.60.5

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Roaming\abd1 .exej3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                          j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                            B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msiGet hashmaliciousUnknownBrowse
                                                              rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                                Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                                  rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                                    Formulario_20183.msiGet hashmaliciousHidden Macro 4.0Browse

                                                                      Created / dropped Files

                                                                      C:\Config.Msi\3eaf30.rbs

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):1644
                                                                      Entropy (8bit):5.445719283450994
                                                                      Encrypted:false
                                                                      SSDEEP:48:3XGATARud3XLWZLeAK+fU/l8CfAAX6H7j:3XZAC7WZdlFi6f
                                                                      MD5:6DFF742633E2C90EF85B3BC3CE6C7516
                                                                      SHA1:1418B396E5781D8F4B9780CE5EE7846FB1066CE6
                                                                      SHA-256:0BD2840D7E27C431FEBAF1983AD925DB22598F6BCD8BDA7064830B6AE10A6C75
                                                                      SHA-512:16325BB8DDBCFA2465486FA2BB9805388084A4530E832C36974B76FE44FD1E67EB112B07832E3965FE9F28E1CE733B1F36EE98CB867AB8C5118A25F4D120602E
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:...@IXOS.@.....@pemV.@.....@.....@.....@.....@.....@......&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}..S.e.g.u.r.a.n...a...rPEDIDOS-10032023-X491kkum.msi.@.....@.....@.....@........&.{68A5F6A7-5AB7-4451-962B-689A3F097BD8}.....@.....@.....@.....@.......@.....@.....@.......@......S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{1A573064-1B56-414E-839D-1FB0EE20F8DE}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{9F670939-91D7-4A6F-B74F-10A75617B066}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{50603510-D628-4AD2-A8C3-1D0F10537A09}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{6974057C-0176-4435-83DE-6C1B9EDBDB20}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.........X....

                                                                      C:\Users\user\AppData\Local\960781

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):32
                                                                      Entropy (8bit):4.351409765557392
                                                                      Encrypted:false
                                                                      SSDEEP:3:1EypyozQMyn:1Xpyo8My
                                                                      MD5:D52909855E2157AD7D5D4E05C1DEFA21
                                                                      SHA1:E613BD15E9B8E4595013F1D9FDA1E577D10AFA70
                                                                      SHA-256:3374159757E2BE0E85B80649620235E89FDF803D2EEEE841BD749E80D38E172D
                                                                      SHA-512:CB72BB2932D2B047D437CB3161A14F1BEC906086D08F9DDC3D9F28E45A6B8D7648399F315773457DB09A0910B3E539FF9ABD1CD0CC49FFA367A93576ECC4E0DF
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:[Generate Pasta]..FqOEXeiuvGQm..

                                                                      C:\Users\user\AppData\Local\Temp\MSIeaa1d.LOG

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):157822
                                                                      Entropy (8bit):3.799031129490797
                                                                      Encrypted:false
                                                                      SSDEEP:1536:TeLftTm+TXDcHYFEYovdJAwUiMSy7do+O61p0iX+/drvLNgzdVaun0U/fnHSWpHE:YjRowF6LF
                                                                      MD5:0F7927A21133706B8B66D3B7CD561D70
                                                                      SHA1:34F540E25C39E6AD69A03BC1056ECA31EC7AA280
                                                                      SHA-256:2A93987CA635C2449E23F39268B90F57432DAAD0F253F6D39726348DA051C885
                                                                      SHA-512:DA247E3AAC78C0EAAFA2F968788AEC53642A55F6F77E6DB263343CE61A6DEC3B1201C863B3A7C0C97A6D732EF543F218A3744D99944790CF2F0CB53029637495
                                                                      Malicious:false
                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.1.3./.2.0.2.3. . .1.2.:.4.3.:.2.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.C.8.:.B.C.). .[.1.2.:.4.3.:.2.7.:.5.2.1.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.C.8.:.B.C.). .[.1.2.:.4.3.:.2.7.:.5.2.1.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.C.8.:.B.0.). .[.1.2.:.4.3.:.2.7.:.5.8.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.C.8.:.B.0.). .[.1.2.:.4.3.:.2.7.:.5.8.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

                                                                      C:\Users\user\AppData\Roaming\WebUI.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):7307776
                                                                      Entropy (8bit):7.862500839740274
                                                                      Encrypted:false
                                                                      SSDEEP:98304:0TuTukB9ZdQnqVW+XCov5D6kZP1whtYtYTrYjf7z3TRzFk7JEpxB/iBFvIc5FzhV:RikB9QcyyVZQYYrYjbIJOxBkhDFzhV
                                                                      MD5:49181C88ADE15565DB6A6C5444C6D1FB
                                                                      SHA1:C918A843BA8C9C475DBCEC6027EA87108421AFA9
                                                                      SHA-256:7CD174F7EB04F0B58F059225F6DAE89A7B43195D8DCE8DD6822E4F2075B48E8F
                                                                      SHA-512:CCE55E0EEE47B96552C3D0DD17161AC076E534698BFF601BFFE0BA92B2C316046F4C9BE6EDCF971F0F7BF87DB12E8A9B8F30481E801F538FD2863C2BFAD75F01
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 36%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....I.d.............................,1...........@...........................=.....u>p...............................0......P=.h....`=......................p=.h....................................................................................text....`........Q.................`....sedata......p........Q............. ....idata.......P=......do.............@....rsrc........`=......jo.............@....reloc.......p=......no.............@..B.sedata.......=......ro.............@..@................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\abd1 .exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1856512
                                                                      Entropy (8bit):6.763893864307226
                                                                      Encrypted:false
                                                                      SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                                                      MD5:CEEF4762B36067F1D32A0DB621EE967E
                                                                      SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                                                      SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                                                      SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                      • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                      • Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse
                                                                      • Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse
                                                                      • Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse
                                                                      • Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse
                                                                      • Filename: Formulario_20183.msi, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                                                      C:\Windows\Installer\3eaf2e.msi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {68A5F6A7-5AB7-4451-962B-689A3F097BD8}, Number of Words: 10, Subject: Segurana, Author: windows, Name of Creating Application: Segurana, Template: ;1046, Comments: windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 12 22:05:34 2023, Number of Pages: 200
                                                                      Category:dropped
                                                                      Size (bytes):8616448
                                                                      Entropy (8bit):7.9244217815512314
                                                                      Encrypted:false
                                                                      SSDEEP:196608:WKKwxsB9zvB1Qd+/RrcIL/NPCAkuAT+aCF:WYxsId+/iILlvkuYC
                                                                      MD5:09BA2F3996FE2389D374753896BD593B
                                                                      SHA1:D19351EA7140E44F0DB0DE6A997E6F6694B5E5F9
                                                                      SHA-256:9DE598AD601033A29A124DAEE8DA5C18AB0A1322411207C4A3DAF9F73CF6DB21
                                                                      SHA-512:58096FB8138E1885BA189729E37038418E9999AD8A52E2374D13A0A4650798241EF354BAA055C1BDD574C7260D4441E7A652057D321385EF7546A05D8E088B9C
                                                                      Malicious:false
                                                                      Preview:......................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~.......................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Windows\Installer\MSIB3E1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):592288
                                                                      Entropy (8bit):6.451258406471538
                                                                      Encrypted:false
                                                                      SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                      MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                      SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                      SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                      SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIB578.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):592288
                                                                      Entropy (8bit):6.451258406471538
                                                                      Encrypted:false
                                                                      SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                      MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                      SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                      SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                      SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIB606.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):592288
                                                                      Entropy (8bit):6.451258406471538
                                                                      Encrypted:false
                                                                      SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                      MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                      SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                      SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                      SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIB6D2.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):592288
                                                                      Entropy (8bit):6.451258406471538
                                                                      Encrypted:false
                                                                      SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                      MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                      SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                      SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                      SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIB76F.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):592288
                                                                      Entropy (8bit):6.451258406471538
                                                                      Encrypted:false
                                                                      SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                      MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                      SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                      SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                      SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIB964.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1988
                                                                      Entropy (8bit):5.100235522359752
                                                                      Encrypted:false
                                                                      SSDEEP:48:SXGATA4Z3Xqw7Uo/aNeA6D+oJukcpqT7AX657kmLW:SXZAmaO0bpqT7i6imC
                                                                      MD5:E63D6AED32F9D01F61154B6BAB4F7FBE
                                                                      SHA1:301C95C820D7E544019684333D3FE3D34598E10E
                                                                      SHA-256:7C365B13E6AD188EE21AAFB0D36480B9C5730DC1B0A57F4A2296B8BDA9A4A390
                                                                      SHA-512:91FA92F22873DF0FCA8AC5DD3B9A0F68606BD9E0BE382CF17EB13C599163C34B7C4986F0C012405F49C2F49A9A838B962473E1C4CEA804578BCE632E6AC302F0
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@pemV.@.....@.....@.....@.....@.....@......&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}..S.e.g.u.r.a.n...a...rPEDIDOS-10032023-X491kkum.msi.@.....@.....@.....@........&.{68A5F6A7-5AB7-4451-962B-689A3F097BD8}.....@.....@.....@.....@.......@.....@.....@.......@......S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{1A573064-1B56-414E-839D-1FB0EE20F8DE}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{9F670939-91D7-4A6F-B74F-10A75617B066}&.0.1.:.\.S.o.f.t.w.a.r.e.\.w.i.n.d.o.w.s.\.S.e.g.u.r.a.n...a.\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{50603510-D628-4AD2-A8C3-1D0F10537A09}(.C:\Users\user\AppData\Roaming\WebUI.dll.@.......@.....@.....@......&.{6974057C-0176-4435-83DE-6C1B9EDBDB20}(.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@..

                                                                      C:\Windows\Installer\SourceHash{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.1736422819978474
                                                                      Encrypted:false
                                                                      SSDEEP:12:JSbX72FjyAGiLIlHVRpph/7777777777777777777777777vDHFPTJtFkbWl0i8Q:JsQI5dtXIF
                                                                      MD5:8167DB47ED3F2A1B30BF7755088B4032
                                                                      SHA1:FFB6BD4338926822F5FB79E3847F58C6E91E9AF8
                                                                      SHA-256:1089B1B48E685F550720678919AD560CD494D47FA14ABA221588C99EC7935775
                                                                      SHA-512:8BBD1574A3CC13B9D784ED8CFF13CE8573D5F3074D8B14DC4402F54A70864BA4D9439CD021A20EC815F8C6B396567F280B8DFB7F870E58A3FE3E9B5582E55F30
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5043807746884357
                                                                      Encrypted:false
                                                                      SSDEEP:48:p8PhBuRc06WXJUFT5+cFBZA1mSKsAEKgCyjMHk2mSKqT0/s:khB1XFT8gZflkC0Moh
                                                                      MD5:827C0BD0477802122F1F22E65F2813F8
                                                                      SHA1:15406064C30AD342CBA790EA792BABD102A16EC0
                                                                      SHA-256:E5AE9DA278D0B38E9F82628BEC7BC348378DEBA3AAED962B69C4594FB4DDCA7D
                                                                      SHA-512:1E36F626AC36DE83A0DBA69F2C7030C7D268D96ACC12257E1004073D61DD4FC11C6B02E5F855975ED28A1D3B3DA80BB301E01D735A779BF35931A9F6D9C75B22
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):192827
                                                                      Entropy (8bit):5.392024218861418
                                                                      Encrypted:false
                                                                      SSDEEP:3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFJ:i0LVlA/
                                                                      MD5:1F9E5758A7D5E9745E20725C54661744
                                                                      SHA1:C45A68BB564EE8DF222B8DD894865BDE567FBAFE
                                                                      SHA-256:F0BFD58384E29514289ED5ED04C805DBE855836C5DD9A0C06F3B04138EBBA215
                                                                      SHA-512:4ED4A14F0320C19CBC7C6EACCD65CC4B6B3EF7BA4E51ED631331125C642793D3C4FFBAE494F5B902875CEC19268E088EB47418438716BC726021A1405CC8658E
                                                                      Malicious:false
                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                                      C:\Windows\Temp\~DF0BF722672D37E4DD.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2094570717391568
                                                                      Encrypted:false
                                                                      SSDEEP:48:Si5uZO+CFXJJT5UcFBZA1mSKsAEKgCyjMHk2mSKqT0/s:55hxTOgZflkC0Moh
                                                                      MD5:6B9D551BC7364EAB4D1472091D4B0E84
                                                                      SHA1:35F13FD948C36A5E52B3FCA3BE6B0884FFE856C7
                                                                      SHA-256:BC2523A96EE8C5688A3FF27280D4EF75DEEEA5207CBCAD3D6886150843A5F22F
                                                                      SHA-512:BBA713A39E7E7C25413BACA50270524FF35E0C7953EBD97A1F182776804D954DB984F78F6CE2145C79D184D33C5EB66C31E7ECD257CD0C34D4AA69925AA61EBA
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF19E215AAB6909123.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2094570717391568
                                                                      Encrypted:false
                                                                      SSDEEP:48:Si5uZO+CFXJJT5UcFBZA1mSKsAEKgCyjMHk2mSKqT0/s:55hxTOgZflkC0Moh
                                                                      MD5:6B9D551BC7364EAB4D1472091D4B0E84
                                                                      SHA1:35F13FD948C36A5E52B3FCA3BE6B0884FFE856C7
                                                                      SHA-256:BC2523A96EE8C5688A3FF27280D4EF75DEEEA5207CBCAD3D6886150843A5F22F
                                                                      SHA-512:BBA713A39E7E7C25413BACA50270524FF35E0C7953EBD97A1F182776804D954DB984F78F6CE2145C79D184D33C5EB66C31E7ECD257CD0C34D4AA69925AA61EBA
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF2EE27D6B20264194.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF44B393B81E508B0F.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):73728
                                                                      Entropy (8bit):0.11422722675582953
                                                                      Encrypted:false
                                                                      SSDEEP:24:XNt8q+aRTxwtwipVwtawtwipVwtSAEVwtyjCyjMHVO3wGyN+kvAJrR7:X5FRT2mSKZmSKsAEKgCyjMHksZAJF7
                                                                      MD5:17D3D49F2DA4EFDAB6AC2DEF22541AEF
                                                                      SHA1:61E8B303192D8A4201E2DE95B75B2193CB9D2F45
                                                                      SHA-256:2BB6F59AA3BDD9417C96FFE47C5AB2510CCA51A76AC15C9CF7D04AA1F0B536DA
                                                                      SHA-512:0DD4E91B69970857AF6CEC61C98739BDB02B472F7C302CFC5B9A7745C920BB3D0FF6EC32985DA6EBC14C4AC0C62F6766B844512EAA28A51DE774689C32BC1EB4
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF50221E39D3591ADB.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5043807746884357
                                                                      Encrypted:false
                                                                      SSDEEP:48:p8PhBuRc06WXJUFT5+cFBZA1mSKsAEKgCyjMHk2mSKqT0/s:khB1XFT8gZflkC0Moh
                                                                      MD5:827C0BD0477802122F1F22E65F2813F8
                                                                      SHA1:15406064C30AD342CBA790EA792BABD102A16EC0
                                                                      SHA-256:E5AE9DA278D0B38E9F82628BEC7BC348378DEBA3AAED962B69C4594FB4DDCA7D
                                                                      SHA-512:1E36F626AC36DE83A0DBA69F2C7030C7D268D96ACC12257E1004073D61DD4FC11C6B02E5F855975ED28A1D3B3DA80BB301E01D735A779BF35931A9F6D9C75B22
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF52E6C35E0473F6A8.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.07860557329972817
                                                                      Encrypted:false
                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOqEzmwZLXtFcRltgVky6lW:2F0i8n0itFzDHFPTJtFkbW
                                                                      MD5:03906A15A48DB92FEC9EBCF03C15FCEC
                                                                      SHA1:C2C4A35C55B21DA24B5A5CAB966E57152333919D
                                                                      SHA-256:CB7360795F2F2CFA11E5BC5A72018E1FF5D16507659F8996D4FA31E16A883ABE
                                                                      SHA-512:0E97EA33EB802B308294752143D87A723E129B85344F317A14764DAF6AE2258B92ABDB1EDBF10E58C54973F10F4589AB690350620917EEE688E60FB992B5E366
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFCBF4C3CE06BB4671.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFE440ECCB963FC0BF.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFE5D5CA6A4A615052.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFEAF095CAC5DB8EE2.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFEE3137C3A6B6F7EA.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2094570717391568
                                                                      Encrypted:false
                                                                      SSDEEP:48:Si5uZO+CFXJJT5UcFBZA1mSKsAEKgCyjMHk2mSKqT0/s:55hxTOgZflkC0Moh
                                                                      MD5:6B9D551BC7364EAB4D1472091D4B0E84
                                                                      SHA1:35F13FD948C36A5E52B3FCA3BE6B0884FFE856C7
                                                                      SHA-256:BC2523A96EE8C5688A3FF27280D4EF75DEEEA5207CBCAD3D6886150843A5F22F
                                                                      SHA-512:BBA713A39E7E7C25413BACA50270524FF35E0C7953EBD97A1F182776804D954DB984F78F6CE2145C79D184D33C5EB66C31E7ECD257CD0C34D4AA69925AA61EBA
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFF61BF2EEDA9C2510.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5043807746884357
                                                                      Encrypted:false
                                                                      SSDEEP:48:p8PhBuRc06WXJUFT5+cFBZA1mSKsAEKgCyjMHk2mSKqT0/s:khB1XFT8gZflkC0Moh
                                                                      MD5:827C0BD0477802122F1F22E65F2813F8
                                                                      SHA1:15406064C30AD342CBA790EA792BABD102A16EC0
                                                                      SHA-256:E5AE9DA278D0B38E9F82628BEC7BC348378DEBA3AAED962B69C4594FB4DDCA7D
                                                                      SHA-512:1E36F626AC36DE83A0DBA69F2C7030C7D268D96ACC12257E1004073D61DD4FC11C6B02E5F855975ED28A1D3B3DA80BB301E01D735A779BF35931A9F6D9C75B22
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {68A5F6A7-5AB7-4451-962B-689A3F097BD8}, Number of Words: 10, Subject: Segurana, Author: windows, Name of Creating Application: Segurana, Template: ;1046, Comments: windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 12 22:05:34 2023, Number of Pages: 200
                                                                      Entropy (8bit):7.9244217815512314
                                                                      TrID:
                                                                      • Microsoft Windows Installer (77509/1) 52.18%
                                                                      • Windows SDK Setup Transform Script (63028/2) 42.43%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                                                      File name:rPEDIDOS-10032023-X491kkum.msi
                                                                      File size:8616448
                                                                      MD5:09ba2f3996fe2389d374753896bd593b
                                                                      SHA1:d19351ea7140e44f0db0de6a997e6f6694b5e5f9
                                                                      SHA256:9de598ad601033a29a124daee8da5c18ab0a1322411207c4a3daf9f73cf6db21
                                                                      SHA512:58096fb8138e1885ba189729e37038418e9999ad8a52e2374d13a0a4650798241ef354baa055c1bdd574c7260d4441e7a652057d321385ef7546a05d8e088b9c
                                                                      SSDEEP:196608:WKKwxsB9zvB1Qd+/RrcIL/NPCAkuAT+aCF:WYxsId+/iILlvkuYC
                                                                      TLSH:74962325B2C78533C65C017BE929FF1E1539BEA3133141E3B6E43D6E98F08C1A6B9A51
                                                                      File Content Preview:........................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~..........

                                                                      File Icon

                                                                      Icon Hash:a2a0b496b2caca72

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 13, 2023 12:44:10.671967030 CET4969780192.168.2.381.176.228.4
                                                                      Mar 13, 2023 12:44:10.726047993 CET804969781.176.228.4192.168.2.3
                                                                      Mar 13, 2023 12:44:10.726336956 CET4969780192.168.2.381.176.228.4
                                                                      Mar 13, 2023 12:44:10.726713896 CET4969780192.168.2.381.176.228.4
                                                                      Mar 13, 2023 12:44:10.816831112 CET804969781.176.228.4192.168.2.3
                                                                      Mar 13, 2023 12:44:10.860805988 CET804969781.176.228.4192.168.2.3
                                                                      Mar 13, 2023 12:44:10.860909939 CET4969780192.168.2.381.176.228.4
                                                                      Mar 13, 2023 12:44:11.168334007 CET4969880192.168.2.315.228.77.178
                                                                      Mar 13, 2023 12:44:14.175908089 CET4969880192.168.2.315.228.77.178
                                                                      Mar 13, 2023 12:44:20.192008972 CET4969880192.168.2.315.228.77.178
                                                                      Mar 13, 2023 12:46:00.544152021 CET4969780192.168.2.381.176.228.4
                                                                      Mar 13, 2023 12:46:00.598174095 CET804969781.176.228.4192.168.2.3
                                                                      Mar 13, 2023 12:46:00.600824118 CET4969780192.168.2.381.176.228.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 13, 2023 12:44:10.638320923 CET6270453192.168.2.38.8.8.8
                                                                      Mar 13, 2023 12:44:10.656769991 CET53627048.8.8.8192.168.2.3

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Mar 13, 2023 12:44:10.638320923 CET192.168.2.38.8.8.80x24d3Standard query (0)telemarketin-ru.1gb.ruA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Mar 13, 2023 12:44:10.656769991 CET8.8.8.8192.168.2.30x24d3No error (0)telemarketin-ru.1gb.ru81.176.228.4A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • telemarketin-ru.1gb.ru

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.34969781.176.228.480C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Mar 13, 2023 12:44:10.726713896 CET154OUTGET /pedro/inspecionando.php HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: en-US
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                      Host: telemarketin-ru.1gb.ru
                                                                      Connection: Keep-Alive
                                                                      Mar 13, 2023 12:44:10.860805988 CET155INHTTP/1.1 200 OK
                                                                      Date: Mon, 13 Mar 2023 11:44:10 GMT
                                                                      Server: Apache/2.4
                                                                      X-Powered-By: PHP/7.4.33
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=UTF-8


                                                                      Chrome Debug Log

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:12:43:27
                                                                      Start date:13/03/2023
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\rPEDIDOS-10032023-X491kkum.msi"
                                                                      Imagebase:0x7ff71dcc0000
                                                                      File size:66048 bytes
                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:1
                                                                      Start time:12:43:27
                                                                      Start date:13/03/2023
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                      Imagebase:0x7ff71dcc0000
                                                                      File size:66048 bytes
                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:2
                                                                      Start time:12:43:30
                                                                      Start date:13/03/2023
                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding EC5E3FB451649D45F397BF6A1C544ED2
                                                                      Imagebase:0x2a0000
                                                                      File size:59904 bytes
                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:3
                                                                      Start time:12:43:32
                                                                      Start date:13/03/2023
                                                                      Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Imagebase:0x400000
                                                                      File size:1856512 bytes
                                                                      MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.271003377.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000003.284533577.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.608853971.0000000004D31000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:low

                                                                      General

                                                                      Target ID:13
                                                                      Start time:12:44:40
                                                                      Start date:13/03/2023
                                                                      Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                      Imagebase:0x400000
                                                                      File size:1856512 bytes
                                                                      MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.580917188.0000000004D14000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      General

                                                                      Target ID:14
                                                                      Start time:12:44:50
                                                                      Start date:13/03/2023
                                                                      Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                      Imagebase:0x400000
                                                                      File size:1856512 bytes
                                                                      MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.584150699.0000000004DC6000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:1.4%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:4
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 11375 f1f170 11376 f1f183 11375->11376 11378 f1f20e 11375->11378 11377 f1f204 GetNativeSystemInfo 11376->11377 11376->11378 11377->11378

                                                                        Executed Functions

                                                                        Function 00F1F170 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 f1f170-f1f17d 1 f1f183-f1f202 0->1 2 f1f497-f1f49d 0->2 7 f1f204-f1f209 GetNativeSystemInfo 1->7 8 f1f20e-f1f22d 1->8 7->8 9 f1f241-f1f24e 8->9 10 f1f22f-f1f236 8->10 13 f1f258-f1f25a 9->13 11 f1f238-f1f23f 10->11 12 f1f2ac-f1f2c3 10->12 11->9 11->12 19 f1f416-f1f41e 12->19 20 f1f2c9-f1f2ca 12->20 14 f1f28c-f1f299 13->14 15 f1f25c-f1f274 13->15 14->12 31 f1f29b-f1f2a7 14->31 17 f1f281-f1f28a 15->17 18 f1f276-f1f27f 15->18 17->12 18->12 18->17 23 f1f420 19->23 24 f1f427-f1f436 19->24 21 f1f334-f1f33c 20->21 22 f1f2cc-f1f2cf 20->22 26 f1f34f-f1f357 21->26 27 f1f33e 21->27 22->2 28 f1f2d5-f1f2dd 22->28 29 f1f422-f1f423 23->29 30 f1f438-f1f447 23->30 24->2 35 f1f359-f1f368 26->35 36 f1f36d-f1f37c 26->36 32 f1f381-f1f389 27->32 33 f1f340-f1f341 27->33 28->2 34 f1f2e3-f1f2ea 28->34 37 f1f425 29->37 38 f1f449-f1f451 29->38 30->2 31->12 43 f1f38b-f1f39a 32->43 44 f1f39f-f1f3ae 32->44 40 f1f3b3-f1f3bb 33->40 41 f1f343-f1f344 33->41 57 f1f300-f1f30a 34->57 58 f1f2ec-f1f2fb 34->58 35->2 36->2 37->2 45 f1f453-f1f459 38->45 46 f1f46c-f1f475 38->46 47 f1f3d1-f1f3e0 40->47 48 f1f3bd-f1f3cc 40->48 49 f1f3e5-f1f3ec 41->49 50 f1f34a 41->50 43->2 44->2 45->46 54 f1f45b-f1f46a 45->54 61 f1f477-f1f486 46->61 62 f1f488-f1f48d 46->62 47->2 48->2 69 f1f402-f1f411 49->69 70 f1f3ee-f1f3fd 49->70 50->2 54->2 65 f1f320-f1f32f 57->65 66 f1f30c-f1f31b 57->66 58->2 61->2 62->2 65->2 66->2 69->2 70->2
                                                                        APIs
                                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 00F1F209
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000F1F000.00000040.00000001.01000000.00000004.sdmp, Offset: 00F1F000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_f1f000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID: InfoNativeSystem
                                                                        • String ID: kernel32.dll
                                                                        • API String ID: 1721193555-1793498882
                                                                        • Opcode ID: 2b03f6e9bafb60f8d1e62829797795b3b5fe64af22a87aafd444987042fd12ea
                                                                        • Instruction ID: 38cc42d1b26b1096d5bea405fb47a93df6ba6cd4a40f4776a06d5f17ad2d558a
                                                                        • Opcode Fuzzy Hash: 2b03f6e9bafb60f8d1e62829797795b3b5fe64af22a87aafd444987042fd12ea
                                                                        • Instruction Fuzzy Hash: 1D718331E042848BC754EB64DA41ADB3BE6FF45324F148539A4858B2A6C774DCCDFB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D356F8 Relevance: .2, Instructions: 181COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 84 d356f8-d3572d call d3b48c 87 d3572f-d35738 84->87 88 d3577e-d3579b 84->88 91 d3573a-d35756 87->91 92 d35758-d3577c 87->92 93 d357a2-d357a4 88->93 91->93 92->93 94 d35800-d3580f 93->94 95 d357a6-d357b7 93->95 102 d35811-d35819 94->102 103 d3584b-d3584e 94->103 100 d357f3-d357fe 95->100 101 d357b9-d357c1 95->101 109 d35856-d35872 call d33df8 100->109 104 d357c3-d357d7 call d2c690 101->104 105 d357dc-d357f1 101->105 106 d35834-d35849 102->106 107 d3581b-d3582f call d2c690 102->107 103->109 104->105 105->109 106->109 107->106 116 d35896-d358a2 109->116 117 d35874-d35891 call d2c690 109->117 119 d358a4-d358a6 116->119 120 d358a8 116->120 117->116 119->120 121 d358ad-d358b0 119->121 120->121 122 d358b2-d358be call d29fe0 121->122 123 d358de-d358e4 call d35594 121->123 128 d358c0-d358cc call d35594 122->128 129 d358ce-d358d9 call d3381c 122->129 130 d358e5-d358e7 123->130 128->130 135 d358dc 129->135 132 d358e9-d358f2 130->132 133 d3591d-d35937 130->133 132->133 138 d358f4-d35918 call d34d14 132->138 135->130 138->133
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5d1133952d1c056385b99b047e51325c0025d683b2250cc90c2fe2a67c2ec534
                                                                        • Instruction ID: 99b14476908939410e98b03d7b6485f42346b100b0f37c99994b2e07f890980e
                                                                        • Opcode Fuzzy Hash: 5d1133952d1c056385b99b047e51325c0025d683b2250cc90c2fe2a67c2ec534
                                                                        • Instruction Fuzzy Hash: E5714A34A00608EFCB14DF98D581EAEB7F5FF49310F2841A5E845AB3A6D730AE45DB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D33AD0 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 141 d33ad0-d33b29 call d339c0 145 d33bdf-d33c00 141->145 146 d33b2f-d33b34 141->146 149 d33c05-d33c14 call d340f4 145->149 146->145 147 d33b3a-d33b3f 146->147 147->145 148 d33b45-d33b4d 147->148 150 d33b91-d33b9a call d341cc 148->150 151 d33b4f-d33b8c 148->151 156 d33c41-d33c5b 149->156 150->156 158 d33ba0-d33bdd 150->158 151->156 158->156
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 04e2668303e0bef5fb387fa23f5955383b1d02228eedc7c74c8f189ae14d2759
                                                                        • Instruction ID: 1dda49b267c1e45dfaf4ba7d21b70cd2e27ebed7c5e166e142575a075b78d61d
                                                                        • Opcode Fuzzy Hash: 04e2668303e0bef5fb387fa23f5955383b1d02228eedc7c74c8f189ae14d2759
                                                                        • Instruction Fuzzy Hash: 8541EFB0A042448FDB04DF65CA91ABABBF5EF49310F1480A9EC40EB392E7749E40DB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D3381C Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 204 d3381c-d33847 205 d3384c-d3386b 204->205 207 d3387d-d33895 205->207 208 d3386d-d33878 call d340f4 call d34114 205->208 208->207
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7e51eca0206f9e03df88de5327af9a31103b8aa794b2f7fbadb3c9ba0617516
                                                                        • Instruction ID: cc6b3426de352ae0a987e05544d7d1f09ba59526bee437604b2d6f765ef9cbac
                                                                        • Opcode Fuzzy Hash: c7e51eca0206f9e03df88de5327af9a31103b8aa794b2f7fbadb3c9ba0617516
                                                                        • Instruction Fuzzy Hash: 3C119BB4A04248EFD749DF99CA95D59BBF9FB49700B2145E1F804DB362C630EE00EB20
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D34244 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 213 d34244-d34251 214 d34253-d34258 213->214 215 d3425d-d3426d 213->215 214->215 216 d342b3-d342b5 215->216 217 d3426f-d34293 call d34200 215->217 218 d342b8-d342bb 216->218 217->218 222 d34295-d342a2 call d34200 217->222 224 d342a7-d342b1 222->224 224->218
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ad7c0f0654d27b44ad781b2c46569f51ac305b39c919bd0ceecdf2451fa956a
                                                                        • Instruction ID: 0694a3af978c7c2e32d4fd02c08e13519cd929b996383f2eee9166eefc0be2f2
                                                                        • Opcode Fuzzy Hash: 3ad7c0f0654d27b44ad781b2c46569f51ac305b39c919bd0ceecdf2451fa956a
                                                                        • Instruction Fuzzy Hash: B3015E792042008FDB14DF28D4C0A973BD5AF49324F2406A9F829DB396D67ADC45CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D3B48C Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 241 d3b48c-d3b4cd call d342bc call d3375c 248 d3b4cf-d3b4d2 241->248 249 d3b4dd-d3b529 call d33ad0 call d34418 241->249 248->249
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1200550eb2ceaa00a4b81dec34e462c098a0ed91c30c0314296ba995c2c13303
                                                                        • Instruction ID: 730a1c846d198e39532daea587e8a3501b07982c5a4b06b9021289d13ce86d5c
                                                                        • Opcode Fuzzy Hash: 1200550eb2ceaa00a4b81dec34e462c098a0ed91c30c0314296ba995c2c13303
                                                                        • Instruction Fuzzy Hash: AA011B342001A08BC7159F65C4807A9B7A0AF19301F0885BAFC8ADF757D778A945D7B5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D3375C Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 268 d3375c-d33770 270 d33772-d33776 call d34134 268->270 271 d3377b-d337a1 call d34244 268->271 270->271
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8ce138939e27f11b5aee03f8b32f0d33a0d6a8ce2df340b5d5df7d91f7cbcfe8
                                                                        • Instruction ID: b308fa121fac9f14ca67c154565ab460013bccb12ca4f105baf28662487766ea
                                                                        • Opcode Fuzzy Hash: 8ce138939e27f11b5aee03f8b32f0d33a0d6a8ce2df340b5d5df7d91f7cbcfe8
                                                                        • Instruction Fuzzy Hash: 4DF030B53006504FC7049F2D98C46567BE9AF8E221B1800B6F549CB326CA64EC45DB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D339C0 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 276 d339c0-d339de
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 732e66de5be0ae0be222d949bf38e77f193daa33623fdd1c725a8c14a7a9a9cb
                                                                        • Instruction ID: 357255e18a34ec2671aaf39a8cb516c385f170ab3bb82b8bd4cb6924882f3fb2
                                                                        • Opcode Fuzzy Hash: 732e66de5be0ae0be222d949bf38e77f193daa33623fdd1c725a8c14a7a9a9cb
                                                                        • Instruction Fuzzy Hash: F7D0C7752442089F830DDF45ECD0C5577ADFB8D754740419DF505CB365CB31AC00CAA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D34200 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 278 d34200-d3421e
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ba86e9241df70e7d6ad8ca9ded58ce24eeae9c0e7dd4469798b7c61ea1c5e27b
                                                                        • Instruction ID: 834565eb4f88b45801865cdd03898a235713c2453d92c9ab2c93c9b828966e62
                                                                        • Opcode Fuzzy Hash: ba86e9241df70e7d6ad8ca9ded58ce24eeae9c0e7dd4469798b7c61ea1c5e27b
                                                                        • Instruction Fuzzy Hash: 5CD09E752442089F830DDF45E8D0C5577ADFB897547404199F505CB265CB31AC00CA69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D340F4 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 280 d340f4-d3410a 281 d3410f-d34110 280->281
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6d23a21333707da4b336637ca6c5b73a634d9a4bb327626e71762cb24903d46
                                                                        • Instruction ID: 8998ec65172bb9921852e0eef692f2a0a726dd290ef3ad7588b0fb4d32405a20
                                                                        • Opcode Fuzzy Hash: b6d23a21333707da4b336637ca6c5b73a634d9a4bb327626e71762cb24903d46
                                                                        • Instruction Fuzzy Hash: 8ED0C2FA100314DF8705CF48D5C4C9137B9FB9D61131686D6E5464F236E770E904DB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D2C85C Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f28001b9d716be726c9ad2c81b041e67e6ce94eea0ba1f0fdd07eebc7e9ed7e
                                                                        • Instruction ID: d532aa07f1b68a4ceac412c93ee90b3ee75530d494710e2c3e42419d95cdd3d8
                                                                        • Opcode Fuzzy Hash: 6f28001b9d716be726c9ad2c81b041e67e6ce94eea0ba1f0fdd07eebc7e9ed7e
                                                                        • Instruction Fuzzy Hash: 8DA00235514604B6D540F728F84276D2764E6463107D40650744CF6266CDD45EC14BB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00D51A20 Relevance: 102.5, Strings: 80, Instructions: 2473COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DTLSv1_client_method$DTLSv1_method$DTLSv1_server_method$EVP_cleanup$FIPS_mode$FIPS_mode_set$OpenSSL_add_all_ciphers$OpenSSL_add_all_digests$SSL_CTX_callback_ctrl$SSL_CTX_check_private_key$SSL_CTX_ctrl$SSL_CTX_free$SSL_CTX_get_verify_depth$SSL_CTX_load_verify_locations$SSL_CTX_new$SSL_CTX_set_cipher_list$SSL_CTX_set_default_passwd_cb$SSL_CTX_set_default_passwd_cb_userdata$SSL_CTX_set_verify$SSL_CTX_set_verify_depth$SSL_CTX_use_PrivateKey$SSL_CTX_use_PrivateKey_file$SSL_CTX_use_certificate$SSL_CTX_use_certificate_chain_file$SSL_CTX_use_certificate_file$SSL_SESSION_get_id$SSL_accept$SSL_alert_desc_string_long$SSL_alert_type_string_long$SSL_callback_ctrl$SSL_connect$SSL_copy_session_id$SSL_ctrl$SSL_free$SSL_get_error$SSL_get_peer_certificate$SSL_get_session$SSL_library_init$SSL_load_error_strings$SSL_new$SSL_peek$SSL_pending$SSL_read$SSL_set_accept_state$SSL_set_connect_state$SSL_set_fd$SSL_set_shutdown$SSL_shutdown$SSL_state_string_long$SSL_write$SSLeay$SSLeay_version$SSLv23_client_method$SSLv23_method$SSLv23_server_method$SSLv2_client_method$SSLv2_method$SSLv2_server_method$SSLv3_client_method$SSLv3_method$SSLv3_server_method$TLSv1_1_client_method$TLSv1_1_method$TLSv1_1_server_method$TLSv1_2_client_method$TLSv1_2_method$TLSv1_2_server_method$TLSv1_client_method$TLSv1_method$TLSv1_server_method$libeay32.dll$sk_dup$sk_find$sk_free$sk_new$sk_new_null$sk_num$sk_push$sk_value$ssleay32.dll
                                                                        • API String ID: 0-1273726410
                                                                        • Opcode ID: 190d48f8be7471958b91ed8e5fe0a541f3587a51098c8a29489379a33e53b974
                                                                        • Instruction ID: 9a7b5d4ca898a6e8509d7437f2d40e489a6d15feb646a6cbc5c1811c0d717e33
                                                                        • Opcode Fuzzy Hash: 190d48f8be7471958b91ed8e5fe0a541f3587a51098c8a29489379a33e53b974
                                                                        • Instruction Fuzzy Hash: 7523CC75E005159B5F25FFBEA84220D7E93EB8A30A395C135EC04DB325EE71940EAB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00F225D1 Relevance: .2, Instructions: 178COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000F1F000.00000040.00000001.01000000.00000004.sdmp, Offset: 00F1F000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_f1f000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3740106f4dfd91a33a9911e19edbdd96562263155ee3b05a39ad1d0f1e5fa694
                                                                        • Instruction ID: 5d15ef81d009a55305fc908d6bcdb325c0b3ff597908b9b9b6ee56abefff9c9c
                                                                        • Opcode Fuzzy Hash: 3740106f4dfd91a33a9911e19edbdd96562263155ee3b05a39ad1d0f1e5fa694
                                                                        • Instruction Fuzzy Hash: 335133A680E3C55FD7438BB898656857FB05F07228F1E05DBC8C08E0F3E698584BD726
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D25E60 Relevance: 19.0, Strings: 15, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Cache-control$Connection$Content-Disposition$Content-Encoding$Content-Language$Content-Length$Content-Range$Content-Type$Content-Version$Date$ETag$Expires$Last-Modified$Pragma$Transfer-Encoding
                                                                        • API String ID: 0-35759294
                                                                        • Opcode ID: ed9a91fa91b37969042a1a1c3a0a95bc5d3e07ef81a9ecee9728c62dfb7bacb1
                                                                        • Instruction ID: 05f1ef30b3294d5091705881a3646f9f56ef1626906055dc108357865f4f330c
                                                                        • Opcode Fuzzy Hash: ed9a91fa91b37969042a1a1c3a0a95bc5d3e07ef81a9ecee9728c62dfb7bacb1
                                                                        • Instruction Fuzzy Hash: 13C13D74A04229DFCB04EF98D981DAEB7B1FF68324F254555E820AB392D731ED12CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D27A9C Relevance: 19.0, Strings: 15, Instructions: 207COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Accept$Accept-Charset$Accept-Encoding$Accept-Language$Authorization$From$Host$If-Modified-Since$Password$Proxy-Connection$Range$Referer$User-Agent$Username$X-HTTP-Method-Override
                                                                        • API String ID: 0-4239261173
                                                                        • Opcode ID: 9299f047dd59fb32671efe081ee8a453237a5394fcf86cfaa7cf71a987513dce
                                                                        • Instruction ID: e2786b2655b4af08bfc0a8673a0b1812f5fdae24c6befeb9d9c113012171f2fa
                                                                        • Opcode Fuzzy Hash: 9299f047dd59fb32671efe081ee8a453237a5394fcf86cfaa7cf71a987513dce
                                                                        • Instruction Fuzzy Hash: 6181C0343082258BEB60DE29E991B6977A5EF65718F1884B4EC09DF75ADB30ED01CB31
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D264CC Relevance: 17.7, Strings: 14, Instructions: 215COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Cache-control$Connection$Content-Disposition$Content-Encoding$Content-Language$Content-Length$Content-Type$Content-Version$Date$ETag$Expires$Pragma$Transfer-Encoding$charset
                                                                        • API String ID: 0-1087929251
                                                                        • Opcode ID: 87f6ab03daa191cf63b6b5ae72dd146a84ab6bf21f81bafae9be898c060b00e3
                                                                        • Instruction ID: 88e3a94b63a0158be0f825a8f7bd452cb8758568f2635c20a974b6dc2b2f8992
                                                                        • Opcode Fuzzy Hash: 87f6ab03daa191cf63b6b5ae72dd146a84ab6bf21f81bafae9be898c060b00e3
                                                                        • Instruction Fuzzy Hash: 5881F3347002258FEF54EF68E5C1A2AB7A5EF69718B1884A5EC01DF75ADA31EC01CB70
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D42B38 Relevance: 15.4, Strings: 12, Instructions: 394COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DOMAIN$Domain$EXPIRES$Expires$HTTPONLY$HttpOnly$MAX-AGE$Max-Age$PATH$Path$SECURE$Secure
                                                                        • API String ID: 0-1073302861
                                                                        • Opcode ID: 7ae63c98c0a65753883d4c0e212915b0d750ea4136cbad3983a849ae91c5c97d
                                                                        • Instruction ID: 1b9fd8f813bbd2d429039449ccde5f75124ffd32e6a97a4ad87cda6249785de8
                                                                        • Opcode Fuzzy Hash: 7ae63c98c0a65753883d4c0e212915b0d750ea4136cbad3983a849ae91c5c97d
                                                                        • Instruction Fuzzy Hash: 05E15E30A00249DBCB04EF98C981AEEB7B5EF45300F604669F550AB396CB71AF45CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D275B4 Relevance: 12.6, Strings: 10, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Accept$Accept-Charset$Accept-Encoding$Accept-Language$From$Host$Range$Referer$User-Agent$X-HTTP-Method-Override
                                                                        • API String ID: 0-3460215702
                                                                        • Opcode ID: 25a6db023a0e65e627ad68d5d6bfec1540eb117e1cd6cec148631eea924ca8eb
                                                                        • Instruction ID: be9bc7da940896b1206f0d1c877fe5690609080b43c611decc4f26f54960ceeb
                                                                        • Opcode Fuzzy Hash: 25a6db023a0e65e627ad68d5d6bfec1540eb117e1cd6cec148631eea924ca8eb
                                                                        • Instruction Fuzzy Hash: 7641D8746041198FCF14EF50E592A9EB7B5EFA8318F5480B1EC046BB4ADB34AD06CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D23B8C Relevance: 8.9, Strings: 7, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Basic$ISO-8859-1$accept-charset$charset$enc$encoding$realm
                                                                        • API String ID: 0-2243414735
                                                                        • Opcode ID: dee0e4735020bedfaed3044c8a4f613b626e8ce3d3622e6c65a07d1beb4137a1
                                                                        • Instruction ID: 1b674a8d31781db4fa8f55e2a953437c47405ab7174822a5ceabeaff129b789c
                                                                        • Opcode Fuzzy Hash: dee0e4735020bedfaed3044c8a4f613b626e8ce3d3622e6c65a07d1beb4137a1
                                                                        • Instruction Fuzzy Hash: DC714831A00219AFDF00EF94E992ADEB7B6EF58308F614464F500B7751DB38AE45DBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D26988 Relevance: 8.8, Strings: 7, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: +xml$ISO-8859-1$charset$text$us-ascii$xml$xml-external-parsed-entity
                                                                        • API String ID: 0-1430265377
                                                                        • Opcode ID: 50bb97d08eb111dad694846c877e86f31743ec5f9a94f34f9ca00ed233fe23a8
                                                                        • Instruction ID: 5fbf4ccf26c9e0788906a835862e5b54f50a30725a06d6057124de30d4174d29
                                                                        • Opcode Fuzzy Hash: 50bb97d08eb111dad694846c877e86f31743ec5f9a94f34f9ca00ed233fe23a8
                                                                        • Instruction Fuzzy Hash: A0311030A003189FDB15DF54E591AAE77A5EF65308F1480B5E800A7286EB75DE45C7B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D2807C Relevance: 8.8, Strings: 7, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Accept-Patch$Accept-Ranges$Location$Proxy-Authenticate$Proxy-Connection$Server$WWW-Authenticate
                                                                        • API String ID: 0-736881120
                                                                        • Opcode ID: 8bc8f5ded73404359867d57de58aa8593ea013688a02183193f40ac3a879d68f
                                                                        • Instruction ID: 399f89a5d7a5cf382bd08f1c59112713c06ff40360804ebbda295d4961d4ea48
                                                                        • Opcode Fuzzy Hash: 8bc8f5ded73404359867d57de58aa8593ea013688a02183193f40ac3a879d68f
                                                                        • Instruction Fuzzy Hash: 08310C746001198FCB45EF64D4C1A9AB3A5EFA9304F6480B5EC089F74BDB30AD06CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D432E4 Relevance: 7.7, Strings: 6, Instructions: 207COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DOMAIN$EXPIRES$HTTPONLY$MAX-AGE$PATH$SECURE
                                                                        • API String ID: 0-2339280954
                                                                        • Opcode ID: db30916fbd58ff43ae4eeceff7aab213ca1f4affa809deb57b98459909da569f
                                                                        • Instruction ID: 2f2cc6a999a6c16e46fa380073890b24d118e06cebe9aa5aef37bf1e726f004c
                                                                        • Opcode Fuzzy Hash: db30916fbd58ff43ae4eeceff7aab213ca1f4affa809deb57b98459909da569f
                                                                        • Instruction Fuzzy Hash: 7C816F30A041499FCB05EFA8D5C1AEEB7B5EF59300F6484A5E840AB396DB31EE45CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D282BC Relevance: 7.6, Strings: 6, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: %d-%d$Accept-Patch$Accept-Ranges$Content-Range$Last-Modified$bytes
                                                                        • API String ID: 0-1042894229
                                                                        • Opcode ID: 995b093baa9c27670393d75e534ce7c314ead62c6ec34581f541531385510322
                                                                        • Instruction ID: 686c097d9a6c312adeb27164cd1db38f3661fc2c84cca108592fc3e4d610ef96
                                                                        • Opcode Fuzzy Hash: 995b093baa9c27670393d75e534ce7c314ead62c6ec34581f541531385510322
                                                                        • Instruction Fuzzy Hash: 51414F34A012199FDF40EFA4E981A9E77A9EF68308F548475F901EB346DB31E905EB70
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D436B8 Relevance: 7.6, Strings: 6, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Domain$Expires$HttpOnly$Max-Age$Path$Secure
                                                                        • API String ID: 0-3446541736
                                                                        • Opcode ID: cc8cca54925b418f06fe1e5c8f2cd52314b2bd0e5037a70a0bf9f7ad840844e4
                                                                        • Instruction ID: 3ef54dd02c49442c1a1e7784653149fc2257dcbd00816051778753ae9ba112fd
                                                                        • Opcode Fuzzy Hash: cc8cca54925b418f06fe1e5c8f2cd52314b2bd0e5037a70a0bf9f7ad840844e4
                                                                        • Instruction Fuzzy Hash: 7E31A0F0A04209AFDB059FACD882A6EBBF5EB48710F604465F840A7791C6748F40CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D41390 Relevance: 6.4, Strings: 5, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 443$://$FTP$HTTP$HTTPS
                                                                        • API String ID: 0-717648058
                                                                        • Opcode ID: e132c8932454ea3f73385178529d7fc5c40fe732589fc4cec650bc224462c53b
                                                                        • Instruction ID: 6c39e34ef4e743a2fbe649cd885541badfad8954c19cb6d44a95c54d7b6c62ec
                                                                        • Opcode Fuzzy Hash: e132c8932454ea3f73385178529d7fc5c40fe732589fc4cec650bc224462c53b
                                                                        • Instruction Fuzzy Hash: B3616A38A10209EFCF01EFA4C981B9EB7B5FB49300F2440A5E905A7296C774DE85DB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D49A84 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • %sContent-Disposition: form-data; name="%s", xrefs: 00D49AF1
                                                                        • ; filename="%s", xrefs: 00D49B34
                                                                        • Content-Type: %s, xrefs: 00D49B77
                                                                        • ; charset="%s", xrefs: 00D49BAE
                                                                        • Content-Transfer-Encoding: %s, xrefs: 00D49BF1
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: %sContent-Disposition: form-data; name="%s"$; charset="%s"$; filename="%s"$Content-Transfer-Encoding: %s$Content-Type: %s
                                                                        • API String ID: 0-408732146
                                                                        • Opcode ID: d3650edb1ce876a38dd084b968d3878c34198ae07abcc760037fbc6e45f10f7e
                                                                        • Instruction ID: d756e5e45e62a879137e26863ecbd5289e4afee010b2987502e0cc38255fda94
                                                                        • Opcode Fuzzy Hash: d3650edb1ce876a38dd084b968d3878c34198ae07abcc760037fbc6e45f10f7e
                                                                        • Instruction Fuzzy Hash: 4C510170A102498FDB44DFA9C991AEEB7E9EB4D700B5481A5E900EB386D774EE01CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D462BC Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: P%$_$q$~
                                                                        • API String ID: 0-3083444797
                                                                        • Opcode ID: 1bc702d3fb72bca211ebcf96ba12a24f477a716259c787f557604d65bbf8c9ae
                                                                        • Instruction ID: 574b300037ad791da114fdea3eeef02549ef84a232f55009e45fdd82425a96cb
                                                                        • Opcode Fuzzy Hash: 1bc702d3fb72bca211ebcf96ba12a24f477a716259c787f557604d65bbf8c9ae
                                                                        • Instruction Fuzzy Hash: D741C0709082D9AFDB129EA4C4956EDBFF6DB13304F5C80A6E4C2A6182D375DA05D732
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00D4A4E0 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.595147718.0000000000D1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D1C000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_d1c000_abd1 .jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: application/octet-stream$charset$text$us-ascii
                                                                        • API String ID: 0-4278276847
                                                                        • Opcode ID: 72b051e216d3a5a0ee8751341ad9bc16190171944ca8db05c703c55a0ef5a42e
                                                                        • Instruction ID: c9d5ddbe2eed711ba73e5bff2015bf70a6eabee89c5d1bd61cf9b93a9c110f47
                                                                        • Opcode Fuzzy Hash: 72b051e216d3a5a0ee8751341ad9bc16190171944ca8db05c703c55a0ef5a42e
                                                                        • Instruction Fuzzy Hash: 0B218071640208AFEB15DF58DA81B9E77F8EB44710F6484A2E801EB385D774EE06CB32
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%